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ABSTRACT 


This  study  argues  that  the  United  States  paradigm  for  the  cybersecurity  of  critical 
infrastructure  is  flawed.  For  nearly  two  decades,  repeated  Presidential  attempts,  along 
with  Congressional  efforts,  to  revise  cybersecurity  policies  result  in  new  policies  that 
contain  old  and  unproven  principles.  Meanwhile,  the  cyber  vulnerabilities  within  critical 
infrastructure  information  environments  and  the  lethality  of  the  global  cyber  threats  to 
those  national  assets  continue  to  grow.  This  research  identifies  and  examines  the 
foundational  policy  threads  that  resurface  within  consecutive  Presidential  cybersecurity 
policy  initiatives  over  the  previous  twenty  years.  Collectively,  these  consistent  themes 
constitute  the  United  States’  paradigm  for  cybersecurity.  Although  the  United  States’ 
approach  to  cybersecurity  cumulatively  evolved  during  the  past  twenty  years,  its 
foundational  principles  remain  unchanged,  in  error,  and  incapable  of  solving  the  nation’s 
cybersecurity  challenges.  Specifically,  two  unproven  beliefs,  the  Self-Regulation  and 
Incremental  Progress  theories,  remain  consistent  stalwarts  throughout  subsequent  polices 
covering  the  cybersecurity  of  critical  infrastructure.  The  United  States  requires 
revolutionary  thinking  to  defend  critical  infrastructures  against  a  twenty-first  century 
cyber  threat.  Unfortunately,  the  traditional  paradigm  hinders  innovative  thinking  about 
an  evolving  problem.  The  United  States  faulty  cybersecurity  paradigm  rests  upon 
unproven  theories  that  left  unchanged,  trend  the  nation  toward  a  national  catastrophe. 

This  thesis  examines  the  United  States’  evolution  of  cybersecurity  policies 
through  the  lens  of  Thomas  Kuhn’s  change  theory.  Thomas  Kuhn’s  theory  of  change 
illuminates  why  two  decades  of  national  security  policy  continue  to  employ  erroneous 
beliefs  about  securing  the  information  environments  that  support  national  infrastructures. 
According  to  Kuhn,  periodically  a  series  of  events  creates  a  critical  point  in  which  the 


long-held  beliefs  cease  to  resolve  the  complexities  within  an  environment  and  create  the 
conditions  for  a  paradigm  change.  The  United  States  is  at  just  such  an  inflection  point. 

This  thesis  adds  to  the  growing  cybersecurity  policy  body  of  work  by  thoroughly 
examining  the  major  cybersecurity  policies  beginning  with  the  digital  explosion  of  the 
late  nineteen  nineties.  This  thesis  also  identifies  the  flawed  threads  of  policy  that 
continually  survive  successive  Presidential  administrations.  Ultimately,  this  study 
analyzes  the  cybersecurity  environment  and  submits  a  fundamentally  different  paradigm 
for  the  cybersecurity  of  critical  infrastructure.  The  new  paradigm  calls  for  a  revision  of 
commonly  accepted  cyberspace  definitions,  revitalizing  the  United  States  sensibilities  for 
high  risk/high  pay-off  technological  innovations,  an  increased  focus  on  creating 
inherently  secure  software,  and  the  establishment  of  legislation  targeted  toward  private 


owners  of  national  critical  infrastructures. 


ACKNOWLEDGEMENT 


First,  and  foremost,  I  would  like  to  thank  my  entire  family  for  their  love,  support 
and  understanding.  I  am  particularly  grateful  to  my  wife  for  her  understanding  and 
assistance  in  reviewing  and  editing  this  endeavor  -  Sweetheart,  I  love  you! 

I  would  also  like  acknowledge  the  students  and  instructors  of  JAWS,  Seminar  2. 
Their  collective  insight  and  experience  was  instrumental  to  this  year’s  educational 
experience. 

Specifically,  I  would  like  to  thank  COL  Tom  Rickard  and  Dr.  Byron  Greenwald. 
COL  Rickard’s  critiques  of  my  countless  cybersecurity  ideas  during  countless  hours  of 
carpooling  were  very  much  appreciated.  Finally,  Dr.  Greenwald’ s  theory  and  history 
lessons,  as  well  as,  his  mentorship  as  a  thesis  advisor  highly  influenced  my  historical 
perspectives  about  the  twenty-first  century  threat  of  cybersecurity. 


TABLE  OF  CONTENTS 


INTRODUCTION . 1 

CHAPTER  1:  FOUNDATIONS . 7 

Evolution  of  ARPANet . 7 

What  is  Cyberspace? . 15 

The  Cyber  Threat  Picture . 24 

Case  Study:  Stuxnet . 32 

CHAPTER  2:  CYBER  SPACE  POLICY  REVIEW . 39 

The  Second  Clinton  Administration  (1996-2000) . 40 

The  Bush  Administration  (2001-2008) . 47 

The  Federal  Information  Security  Management  Act  of  2002 . 48 

The  2003  National  Strategy  to  Secure  Cyber  Space . 53 

The  First  Obama  Administration  (2009-2012) . 58 

The  2009  Cyber  Space  Policy  Review . 58 

CHAPTER  3:  RECOMMENDATIONS . 62 

Recommendation:  Redefining  Cyberspace . 62 

Recommendation:  Game  Changing  Culture . 65 

Recommendation:  Open  Highway  &  Secured  Exits . 68 

Recommendation:  Limited  Liability  Legislation . 71 

CONCLUSION . 75 

BIBLIOGRAPHY . 78 

VITA  . 87 


INTRODUCTION 


The  transition  from  a  paradigm  in  crisis  to  a  new  one  from  which  a  new  tradition  of 
normal  science  can  emerge  is  far  from  a  cumulative  process.... Rather  it  is  a 
reconstruction  of  the  field  from  new  fundamentals,  a  reconstruction  that  changes  some  of 
the  field's  most  elementary  theoretical  generalizations,  as  well  as,  many  of  its  paradigm 
methods  and  applications. . ..When  the  transition  is  complete,  the  profession  will  have 
changed  its  view  of  the  field,  its  methods,  and  its  goals.1  —Thomas  S.  Kuhn 

This  study  argues  that  the  United  States  paradigm  for  the  cybersecurity  of  critical 

infrastructure  is  flawed.  For  nearly  two  decades,  the  United  States  has  continued  to 

employ  cybersecurity  principles  that  fail  to  protect  critical  infrastructure  information 

environments  from  an  evolving  cyber  threat.  Repeated  Presidential  attempts,  along  with 

Congressional  efforts,  to  revise  cybersecurity  policies  result  in  new  policies  that  contain 

old  and  unproven  principles.  Meanwhile,  the  cyber  vulnerabilities  within  critical 

infrastructure  information  environments  and  the  lethality  of  the  global  cyber  threats  to 

those  national  assets  continue  to  grow. 

The  technological  explosion  over  the  last  twenty  years,  including  the  growth  of 
the  Internet,  revolutionized  the  manner  in  which  modem  society  processes,  stores,  and 
shares  information.  The  United  States’  dependence  upon  interconnected  information  and 
computing  technologies  (ICT)  is  second  only  to  its  addiction  to  oil.  Along  with  increased 
productivity  and  interconnectedness,  Information  Age  societies  face  cyber  related  threats 
to  the  critical  infrastructures  that  underpin  their  globalized  economies.  This  research 
identifies  and  examines  the  foundational  policy  threads  that  resurface  within  consecutive 
Presidential  cybersecurity  policy  initiatives  over  the  previous  twenty  years.  Collectively, 
these  consistent  themes  constitute  the  United  States’  paradigm  for  cybersecurity. 

1  Thomas  S.  Kuhn,  The  Structure  of  Scientific  Revolutions,  3rd  ed.  (Chicago:  The  University  of 
Chicago  Press,  1962),  84-85. 

2  Within  this  thesis  the  term  cybersecurity  strictly  refers  to  the  cyber  defense  of  United  States 
critical  infrastrucutre. 
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Although  the  United  States’  approach  to  cybersecurity  cumulatively  evolved  during  the 
past  twenty  years,  its  foundational  principles  remain  unchanged,  in  error,  and  incapable 
of  solving  the  nation’s  cybersecurity  challenges.  Specifically,  two  unproven  beliefs,  the 
Self-Regulation  and  Incremental  Progress  theories,  remain  consistent  stalwarts 
throughout  subsequent  polices  covering  the  cybersecurity  of  critical  infrastructure.  The 
United  States  requires  revolutionary  thinking  to  defend  critical  infrastructures  against  a 
twenty-first  century  cyber  threat.  Unfortunately,  the  traditional  paradigm  hinders 
innovative  thinking  about  an  evolving  problem.  For  example,  the  1 12th  Congress,  armed 
with  the  aforementioned  principles,  voted  down  two  excellent  legislative  bills  (the 
Cybersecurity  Act  of  2012  and  the  SECURE  IT  Act  of  2012)  that  would  have  improved 
the  nation’s  cybersecurity  of  critical  infrastructure  posture.  The  United  States  faulty 
cybersecurity  paradigm  rests  upon  unproven  theories  that  left  unchanged,  trend  the  nation 
toward  a  national  catastrophe. 

This  thesis  examines  the  United  States’  evolution  of  cybersecurity  policies 
through  the  lens  of  Thomas  Kuhn’s  change  theory.  Thomas  Kuhn’s  theory  of  change,  as 
detailed  within  The  Structure  of  Scientific  Revolutions ,  illuminates  why  two  decades  of 
national  security  policy  continues  to  employ  ineffective  and  erroneous  beliefs  about 
securing  the  information  environments  that  support  national  infrastructures.  The 
Structure  of  Scientific  Revolutions  presents  ‘normal  science’  and  ‘paradigm  change’  as 
disparate  constructs  for  systematic  advancement  of  knowledge  and  progress  within  a 

o. 

discipline.  The  United  States  cybersecurity  paradigm  is  a  product  of  the  normal  science 

3  Although  The  Structure  of  Scientific  Revolutions  is  widely  credited  for  the  term  paradigm  shift, 
Thomas  Kuhn  did  not  employ  the  term  ‘paradgim  shift’  in  the  book.  Instead,  Kuhn  used  the  term 
‘paradigm  change.  ’  This  thesis  uses  the  terms  paradigm  change  because  change  indicates  a  transformation 
to  something  fundamentallly  different  from  what  it  would  be  if  left  alone. 
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methodology.  Communities  of  practice  that  employ  the  normal  science  methodology, 
dogmatically  pursue  solutions  without  challenging  the  widely  acknowledged  foundational 
beliefs.4  For  example,  consecutive  Presidential  Administrations  created  new 
cybersecurity  initiatives  without  challenging  the  foundational  principles  that  informed 
previous  White  House  policy  statements,  U.S.  legal  code,  Presidential  Executive  Orders, 
and  Decision  Directives.  Periodically,  a  series  of  events  creates  a  critical  point  in  which 
the  long-held  beliefs  cease  to  resolve  the  complexities  within  an  environment  and  create 
the  conditions  for  a  paradigm  change.  The  United  States  is  at  just  such  an  inflection 
point. 

The  Structure  of  Scientific  Revolutions  warns  that  paradigm  change  is  elusive  and 
difficult  because  a  community  must  first,  conceptually  recognize  the  methodology’s 
inability  to  resolve  complexities  as  true  flaws,  and  second,  endure  a  crisis  that  fractures 
the  community  into  opposing  thoughts.5  A  paradigm  change  occurs  only  when  a 


4  Kuhn,  The  Structure  of  Scientific  Revolutions,  10. 

5  J.  S.  Bruner  and  Leo  Postman,  "On  the  Perception  of  Incongruity:  A  Paradigm,"  Journal  of 
Personality  18  (1949):  206. 

In  a  psychological  experiment,  subjects  attempted  to  identify  a  series  of  playing  cards  presented  in 
a  short  and  controlled  exposure  pattern.  Although  most  playing  cards  were  traditional,  some  were 
anomalous.  For  example,  the  deck  included  a  red  six  of  spades  or  a  black  four  of  hearts.  Each 
experimental  session  included  the  presentation  of  playing  cards,  one  at  a  time,  with  gradually  increased 
exposure  times.  After  each  card  exposure,  the  researcher  asked  the  subject  what  card  he/she  witnessed. 
Two  successive  correct  identifications  ended  the  session. 

Most  subjects  correctly  identified  the  traditional  cards.  However,  the  anomalous  cards  were 
almost  always  misidentified  with  conviction.  The  subjects  often  failed  to  observe  anomalies.  For  example, 
participants  confidently  identified  the  black  four  of  hearts  as  the  four  of  either  spades  or  hearts.  Subjects 
routinely  superimposed  their  personal  experience  paradigm  when  presented  with  an  anomaly.  Subjects 
appeared  not  to  “see”  or  conceptually  recognize  deviations  from  their  personal  paradigm.  When  provided 
with  extended  exposure  times,  the  subjects  demonstrated  apprehension  when  presented  anomalies. 
However,  hesitations  did  not  produce  the  identification  of  the  exact  anomalies.  Subjects  would  state, 
“That’s  the  six  of  spades,  but  there  is  something  wrong  with  it  -  the  black  has  a  red  border.” 

While  most  subjects  improved  with  multiple  iterations,  many  never  made  the  necessary 
adjustments.  Some  subjects  demonstrated  acute  physical  distress.  One  subject  exclaimed,  “I  can’t  make 
the  suit  out,  whatever  it  is.  It  didn’t  even  look  like  a  card  that  time.  1  don’t  know  that  color  it  is  now  or 
whether  it’s  a  spade  or  a  heart.  I’m  not  even  sure  now  what  a  spade  looks  like.” 
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community  of  professionals  replaces  a  set  of  beliefs  and  principles,  in  whole  or  part,  with 
a  new  theory.* * 6  The  crisis  may  present  itself  as  an  intellectual  crisis  or  a  physical 
catastrophe  that  forces  the  passion  of  the  community  and  its  stakeholders  to  demand 
change.  Both  Leon  Panetta,  former  Secretary  of  Defense  and  Director  of  the  CIA,  and 
James  A.  Lewis,  Director  of  the  Center  for  Strategic  and  International  Studies  (CSIS) 
Technology  and  Public  Policy  Program,  are  among  the  nation’s  most  vocal  critics  of  the 
cybersecurity  policy  status  quo.  For  example,  during  a  201 1  interview,  Secretary  Panetta 
warned  the  nation  about  unseen  threats  that  require  a  different  approach  to  cybersecurity 
stating  “. . .  that  there  is  the  cyber  capability  to  basically  bring  down  our  power  grid. .  .to 
paralyze  our  financial  system  in  this  country. .  .to  virtually  paralyze  our  country.”7 
Likewise,  Lewis’  Congressional  testimonies,  published  writings,  and  leadership  at  the 
CSIS  place  him  at  the  forefront  of  innovative  cybersecurity  change  agents.  Lewis  served 
as  the  Project  Director  for  the  highly  influential  2008  report  from  the  CSIS  Commission 
on  Cybersecurity  for  the  44th  Presidency.  The  CSIS  report  presents  over  twenty 
recommendations  that  seek  to  challenge  the  validity  of  unproven  paradigms,  reframe  the 
severity  of  cybersecurity  threats,  and  advance  a  comprehensive  cybersecurity  policy 
agenda.8  While  the  CSIS  report  focuses  on  a  broad  range  of  cybersecurity  topics  to 
include  offensive  and  international  cybersecurity  strategies,  it  doesn’t  analyze  the  specific 
challenges  facing  the  cybersecurity  of  critical  infrastructure. 

The  Structure  of  Scientific  Revolutions  indicates  practitioners  of  a  professional  community  behave 

in  the  same  manner  when  anomalies  appear  among  widely  held  paradigms. 

6  Kuhn,  The  Structure  of  Scientific  Revolutions ,  92. 

7  Scott  Pelley,  "Panetta:  Cyberware  could  Paralyze  U.S."  CBS  Interactive,  Inc., 
http://www.cbsnews.com/8301-18563  162-57353420/panetta-cyber-warfare-could-paralyze-u.s/  (accessed 

October  28,  2012). 

8  Center  for  Strategic  International  Security,  Securing  Cyberspace  for  the  44th  Presidency 
(Washington  DC:  CSIS,  2008),  5-9. 
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This  thesis  adds  to  the  growing  cybersecurity  policy  body  of  work  by  thoroughly 

examining  the  major  cybersecurity  policies  beginning  with  the  digital  explosion  of  the 

late  nineteen  nineties.  This  thesis  also  identifies  the  flawed  threads  of  policy  that 

continually  survive  successive  Presidential  administrations.  These  enduring  principles 

create  the  paradigm  that  continues  to  place  the  nation,  its  infrastructure,  and  citizens  at 

risk.  Ultimately,  this  study  analyzes  the  cybersecurity  environment  and  submits  a 

fundamentally  different  paradigm  for  the  cybersecurity  of  critical  infrastructure. 

The  scope  of  this  thesis  is  limited  solely  to  the  cyber  defense  of  critical 

infrastructure.  Cybersecurity  is  a  broad  topic  with  multiple  layers  to  include  deterrence, 

attack,  exploitation,  and  defense.  Countless  intertwined  strands  of  friction  exist  within 

the  various  layers  that  collectively  bind  cybersecurity  into  a  seemingly  intractable  knot. 

These  interconnected  strands  include  finance,  privacy,  international  Internet  governance, 

software  development,  and  technology  supply  chain  management  to  name  only  a  few. 

This  thesis  focuses  upon  the  policy  framework  to  deter  cyber  attacks  against  critical 

infrastructure  through  defense  by  denial.  Martin  Libicki,  in  Cyberdeterrence  and 

Cyberwar ,  adeptly  articulates  the  intricate  relationship  between  defense  and  deterrence: 

If  deterrence  is  anything  that  dissuades  an  attack,  it  is  usually  said  to  have 
two  components:  deterrence  by  denial  (the  ability  to  frustrate  the  attacks) 
and  deterrence  by  punishment  (the  threat  of  retaliation).9 

William  Kaufman,  special  assistant  to  each  Secretary  of  Defense  from  1961  to 

1981,  authored  the  counterforce  nuclear  deterrence  theory.  The  theory,  described  below, 

highly  influences  this  author’s  fundamental  understanding  of  defense  as  a  central  pillar  to 

any  deterrence  concept: 


9  Martin  Libicki,  Cyberdeterrence  and  Cyberwar  (Arlington:  RAND  Corporation,  2009),  7. 
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Deterrence  consists  of  essentially  two  basic  components:  first,  the 
expressed  intention  to  defend  a  certain  interest;  secondly,  the 
demonstrated  capability  actually  to  achieve  the  defense  of  the  interest  in 
question  or  to  inflict  such  a  cost  on  the  attacker  that,  even  if  he  should  be 
able  to  gain  his  end,  it  would  not  seem  worth  the  effort  to  him. 10 


Defense  by  punishment,  counterattack,  or  preemptive  attack  are  critical  and 
necessary  ingredients  for  cyber  deterrence.  However,  offensive  and  punitive  cyber  attack 
strategies  are  beyond  the  scope  of  this  research.  The  use  of  the  term  cybersecurity  within 
this  thesis  always  refers  to  cyber  defense.  The  author  understands  and  accepts  cyber 
defense  as  merely  a  single  component  to  an  effective  cybersecurity  policy. 

Chapter  1,  Foundations,  provides  the  building  blocks  of  cyber  understanding 
through  an  examination  of  the  Advanced  Research  Project  Agency’s  impact  upon 
national  interests  and  the  creation  of  the  Internet.  This  chapter  also  includes  rationale  for 
the  author’s  revised  cyberspace  definition,  along  with  a  Stuxnet  Case  Study  that 
highlights  the  growing  cyber  threat  to  critical  infrastructures.  Chapter  2,  Cyberspace 
Policy  Review,  conducts  an  examination  of  the  United  States  cybersecurity  policy  and 
identifies  the  consistent  themes  throughout  the  past  three  Presidential  administrations  that 
continue  to  slow  progress.  Finally,  Chapter  Three,  Recommendations,  submits  principles 
for  a  new  United  States  cybersecurity  paradigm. 


10  Adam  Bernstein,  "Obituaries:  Defense  Expert  William  Kaufmann,"  Washington  Post,  December 
17,  2008,  http://www.washingtonpost.com/wp-dvn/content/article/2008/12/16/AR20081216Q2724.html 

(accessed  January  15,  2013).  ( emphasis  added) 

In  1954,  Secretary  of  State  John  Foster  Dulles  advanced  the  “massive  retaliation”  nuclear  strategy. 
In  the  same  year,  William  Kaufmann  published  the  essay,  "The  Requirements  of  Deterrence,"  that  harshly 
criticized  Dulles'  strategy.  Mr.  Kaufmann  then  controversial  essay  stated,  "We  must  face  the  fact  that,  if 
we  are  challenged  to  fulfill  the  threat  of  massive  retaliation,  we  will  be  likely  to  suffer  costs  as  great  as 
those  we  inflict."  In  1960,  Mr.  Kaufmann  proposed  the  "counterforce"  strategy,  which  unlike  massive 
retaliation,  fired  its  first  volley  of  nuclear  weapons  at  Soviet  bomber  bases  and  submarine  pens  in  an  effort 
to  avoid  Soviet  cities.  The  limited  response  strategy  sought  to  bring  a  nuclear  war  to  a  resolution  shy  of 
mutual  annihilation.  Mr.  Kaufmann  persuaded  several  Secretaries  of  Defense  that  counterforce  provides  a 
wider  variety  of  Presidential  options  in  contrast  to  the  massive  retaliation  strategy. 
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CHAPTER  1:  FOUNDATIONS 


Evolution  of  ARP  AN et 

The  history  of  the  Advanced  Research  Project  Agency  (ARPA)  and  the  ARPA 
Network  (ARPANet)  provide  context  into  twenty-first  century  cybersecurity  challenges 
and  markers  toward  potential  solutions.  On  October  4,  1957,  the  Soviet  Union’s 
launching  of  the  world’s  first  intercontinental  ballistic  missile,  with  the  first  artificial 
satellite  onboard,  Sputnik,  thrust  the  United  States  into  intellectual  crisis.1 2 3  Sputnik 
awakened  the  United  States  from  its  assumption  of  hegemonic  technological  prowess  and 
spurred  increased  funding  for  scientific  research,  education,  and  development.  Then 
Senate  Majority  Leader  Lyndon  B.  Johnson  and  future  President  remarked,  “Now, 
somehow,  in  some  new  way,  the  sky  seemed  almost  alien.  I  also  remember  the  profound 
shock  of  realizing  that  it  might  be  possible  for  another  nation  to  achieve  technological 
superiority  over  this  great  country  of  ours.”  The  launch  of  Sputnik  signaled  serious 
problems  within  the  United  States’  management  of  science  and  technology  research.4 
The  United  States  required  a  fundamentally  new  approach  to  science  and  technology 
research.  The  United  States’  response  to  the  need  for  innovation  was  the  creation  of  the 
Advanced  Research  Project  Agency. 


1  Richard  Van  Atta,  50  Years  of  Innovation  and  Discovery  (Washington  DC:  DARPA), 
www. darpa.mil/WorkArea/DownloadAsset. aspx?id=2553  (accessed  January  28,  2012). 

2  Gary  Anthes,  "Happy  Birthday  Sputnik!"  Computerworld  41,  no.  44  (October  2007):  44-46, 
http://search.proquest.com.ezproxy6.ndu.edu/docview/2161 188 14?accountid=  12686  (accessed  March  3, 
2013). 

3  Van  Atta,  50  Years  of  Innovation  and  Discovery. 

4  Anthes,  “Happy  Birthday  Sputnik!”  44-48,  50. 
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In  1958,  President  Dwight  Eisenhower  created  ARPA,  within  the  Department  of 
Defense,  in  response  to  the  launch  of  the  Russian  satellite  Sputnik.5  ARPA’s  purpose 
was  to  reestablish  and  maintain  the  United  States’  technological  preeminence  over 
potential  enemies  and  prevent  technological  surprise.6 7 8  The  agency,  since  renamed  the 
Defense  Advanced  Research  Projects  Agency  (DARPA),  later  expanded  its  mission  to 

' 7 

include  creating  technological  surprise  for  potential  enemies.  From  the  beginning, 
national  leaders  recognized  the  need  for  an  agency  with  a  unique  culture  capable  of 
reaching  beyond  the  cumulative  and  incremental  methodologies  associated  with  normal 

Q 

science  development.  The  Defense  Advanced  Research  Projects  Agency’s  culture, 
outlined  below  in  its  three  attribute  concept,  rewards  critical  and  creative  thinking: 

•  Independence.  DARPA  research  and  development  efforts  focus  beyond  next 
generation  technologies.  Neither  DARPA  Program  Managers  nor  selected 
projects  derive  from  explicit  military  service  component  requirements. 

•  Risk  Taking.  The  DARPA  Director  selects  research  projects  and  Program 
Managers  capable  of  high  risk/high  payoff  concepts.  DARPA  is  a  high 
performance  learning  organization  that  remains  unafraid  of  failure.  DARPA’s 
organizational  structure  is  lean,  decentralized,  and  aggressive.  In  fact, 
DARPA  owns  zero  laboratories.  The  Director’s  office  pushes  decision 
making,  initiative,  and  responsibility  down  to  Program  Managers  within  the 
nation’s  leading  research  laboratories.  Program  and  Project  Managers  both 
conceive  and  manage  all  of  D  ARP  As  initiatives. 

•  Idea  Driven  &  Outcome  Oriented.  Promising  ideas  are  the  currency  of 
DARPA  selected  projects.  Program  Managers  identify  projects  and  convince 
the  Board  of  Directors  of  their  high  potential.  DARPA  selects  projects  void 
of  well-proven  notions,  while  never  pursuing  projects  for  the  pure  pursuit  of 


5  Anthes,  “Happy  Birthday  Sputnik!”  44-48,  50. 

6  Ibid. 

7  Defense  Advanced  Research  Projects  Agency,  "About  DARPA,"  DARPA, 
http://www.darpa.mil/About.aspx  (accessed  September  21,  2012). 

In  1972,  Congress  renamed  ARPA  (Advanced  Research  Projects  Agency)  DARPA  (for  Defense), 
then  back  to  ARPA  in  1993,  and  again  renamed  to  DARPA  in  1996. 

8  Van  Atta,  50  Years  of  Innovation  and  Discovery. 
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science.  Project  goals  vary  from  demonstrating  an  idea’s  technical  feasibility 
to  providing  proof  of  concept  for  an  operational  capability.  9 

Throughout  its  history,  DARPA  catalyzed  and  assured  the  United  States’  position  as  the 
world’s  technological  hegemon.  The  Advanced  Research  Project  Agency’s  history  and 
culture  uniquely  qualifies  the  agency  to  once  again  lead  the  nation  against  the  growing 
cybersecurity  problem  set. 

The  Advanced  Research  Projects  Agency  is  the  catalyst  for  much  of  cyberspace  and  it 
must  now  lead  the  nation  in  securing  cyberspace.  ARPA  computer  scientists  pioneered 
the  Advanced  Research  Projects  Agency  Network  (ARPANet),  the  precursor  to  the 
Internet,  within  an  information  environment  void  of  nefarious  actors.10  The  ARPANet 
research  community  included  a  select  group  of  well-known  research  participants, 
mainframes,  and  terminals.*  1 1  ARPANet  pioneers  developed  a  blind  spot  against  the  need 
to  develop  inherently  secure  technologies  due  to  the  uncontested  information 
environment.  In  fact,  ARPANet  engineers  faced  complex  challenges  that  focused  their 
efforts  on  the  interoperability  and  productivity  of  communication  technology  and  led 
them  to  miss  the  need  for  holistic  security.  The  developed  technological  solutions  to 
ARPANet’ s  early  challenges  serve  as  the  underpinnings  of  the  modern  Internet. 


9  Ibid,  (emphasis  added) 

10  Jennifer  DiSabatino,  "The  Wild  Wild  West,"  Computerworld  35,  no.  46  (November  2001), 
http://search. proquest. com.ezproxy6.ndu.edu/docview/216089759?accountid=  12686  (accessed  March  9, 
2013). 

11  Ibid. 

12  President's  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
America 's  Infrastructure  (Washington  DC:  Government  Printing  Office,  October  1997),  16. 

13  Ibid. 
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Therefore,  without  a  fundamentally  new  approach  to  the  science  of  cybersecurity,  the 
Internet  and  cyberspace  will  remain  less  secure  than  the  laws  of  science  demand.14 

In  1962,  ARPA  leadership  created  the  Information  Processing  Techniques  Office 
(IPTO),  since  renamed  Innovation  Information  Office,  to  fund  and  manage  computer 
science  projects.15  Since  its  inception,  the  IPTO’s  computer  research  project 
management  record  is  remarkable.  The  IPTO  is  the  historical  driving  force  behind  many 
of  the  world’s  ground  breaking  computing  science  research  developments,  including  the 
first  distributed  information  network,  the  first  successful  email  message,  and  the  first 
graphical  user  interface  (GUI)  computer  program.16  The  first  IPTO  Director,  Joseph  Carl 
Robnett  Licklider,  authored  a  series  of  memorandums  (later  termed  the  “Galactic 
Network”  memos),  which  are  widely  considered  the  first  recorded  plan  for  a  digital 
communication  network.  One  particular  memorandum  warned  that  the  project  may 
“never  become  anything  more  than  a  high-tech  Tower  of  Babel,  in  which  widely 
scattered  enclaves  produced  incompatible  machines,  incompatible  languages,  and 
incompatible  software.”  By  1966,  Robert  Taylor,  the  third  IPTO  director,  realized 
Licklider’s  fears.  Processes  and  technologies  among  IPTO’s  three  participating  research 


14  The  MITRE  Corporation,  Science  of  Cybersecurity  (Rosslyn,  VA:  The  Office  of  the  Under 
Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics,  2010), 
www.fas.org/irp/agencv/dod/iason/cvber.pdf  (accessed  March  19,  2013). 

15  Janet  Ellen  Abatte,  "From  ARPANet  to  Internet:  A  History  of  APRA-Sponsored  Computer 
Networks,  1966-1988"  (PhD  diss..  University  of  Pennsylvania,  1994), 

http://search. proquest. com.ezproxy6.ndu.edu/doc view/304104775?accountid=  12686  (accessed  March  28, 
2013). 

16  Gary  Anthes,  "Timeline:  Sputnik  and  Three  Decades  of  DARPA  Hegemony,"  Computerworld 
(Online),  http://www.computerworld.eom/s/article/9037638/Timeline  Sputnik  and  Three  Decades  of 

DARPA  Hegemony  (accessed  February  7,  2013). 

17  Mitch  Waltrip,  DARPA  and  the  Internet  Revolution  (Washington  DC:  DARPA), 
www.darpa.mil/WorkArea/DownloadAsset.aspx?id=2554  (accessed  October  15,  2012), 79. 

18  Ibid. 
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universities  were  duplicative,  incompatible,  and  stove-piped.19  Additionally,  the  level  of 

information  sharing  between  universities  was  nearly  non-existent.  Collectively,  the  lack 

of  interoperable  software  languages  and  non-scalable  technologies  served  as  the  problem 

statement  and  catalyst  for  solutions  that  drove  ARPA  toward  the  need  for  a 

communications  network.  It  was  clear  that  proprietary  and  closed-source  information 

and  communication  technologies  (ICT)  promoted  incompatibility  and  inefficiency.  In 

fact,  Taylor  maintained  three  disparate  desktop  terminals  within  his  office  in  order  to 

communicate  with  three  incompatible  ARPA-funded  research  university  computing 

systems.”  Taylor  later  remarked,  “Anyone  in  that  context  would  have  quickly  thought, 

2 1 

‘Hey,  wait  a  minute,  why  can’t  I  get  to  any  of  these  places  from  one  terminal?’” 

In  1967,  the  IPTO  director  hired  Larry  Roberts  to  lead  the  Advanced  Research 
Projects  Agency  Network  (ARPANet)  project.”  The  project’s  goal  was  to  employ 
communications  technologies  that  allowed  research  institutions  to  share  computing 
resources.  Mr.  Roberts’  decisions  to  employ  packet  switching  and  decentralized 
routing  structures  enabled  a  common  communications  structure  and  forever  shaped  the 

24 

Internet,  cyberspace  and  cybersecurity.” 

Robert’s  first  action  was  to  abandon  circuit  switching  technologies,  the  prevalent 
communication  protocol,  in  favor  of  newly  validated  packet  switching  technologies. 
Circuit  switching  technologies  resemble  a  multilane  highway  in  which  the  painted  lines 

19  Waltrip,  DARPA  and  the  Internet  Revolution,  80. 

20  Ibid. 

21  Ibid. 

22  Ibid. 

23  Ibid. 

24  Ibid. 


11 


TC 

are  solid.  In  a  circuit  switched  network,  each  call  (data,  voice,  or  video)  receives  and 
maintains  exclusive  and  full  use  of  its  own  lane.  For  example,  during  a  circuit  switched 
telephone  call,  the  caller  pays  for  the  entire  “air  time”  to  include  breaks  and  lulls  in  the 
conversation.  Since  the  communication  link  is  dedicated  and  unavailable  to  other  users, 
the  caller  incurs  the  complete  cost.  The  primary  advantages  of  circuit  switching  are  (1) 
non-repudiation  of  transmissions  and  (2)  the  clarity  and  stability  of  each  connection. 
Employing  dedicated  circuits  for  the  sporadic  nature  of  digital  data  transfer  is  inefficient 
because  of  its  inability  to  constantly  and  consistently  saturate  any  one  circuit.26 

Packet  switching  technologies,  including  Transmission  Control  Protocol  and 
Internet  Protocol  (TCP/IP),  resemble  a  multilane  highway  in  which  the  painted  lines  are 
dashed  lines.  Packet  switching  separates  transmissions  into  smaller  pieces  (packets)  of 
data  and  disperses  them  among  separate  lanes. "  Instead  of  exclusive  ownership  of  an 


25  Seth  Schiesel,  “AT&T’s  Embrace  of  New  Technology  Signals  Next  Era.”  New  York  Times, 
March  8,  1999,  http://search.proquest.com.ezproxy6.ndu.edu/docview/431 147861  ?accountid=  12686 
(accessed  August  10,  2012). 

26  Ibid. 

27  Ibid. 

2S  Curt  White,  Data  Communications  and  Computer  Networks:  A  Business  User's  Approach,  4th 
ed.  (Boston:  Thomson  Course  Technology,  2007),  338-341. 

Internet  services  (email,  web  pages,  links,  remote  login)  are  enabled  by  a  series  of  packet 
switching  technologies.  The  TCP/IP  protocol  suite  and  the  Open  Source  Interconnection  (OSI)  model  are 
frameworks  used  to  describe  and  categorize  network  technologies.  Countless  network  technologies 
comprise  the  frameworks  to  include  Hypertext  Transfer  Protocol  (HTTP),  Dynamic  Host  Configuration 
Protocol  (DHCP),  and  User  Datagram  Protocol  (UDP)  among  others.  However,  the  two  dominant  protocols 
of  network  technology  and  the  Internet  are  Transmission  Control  Protocol  (TCP)  and  Internet  Protocol. 
These  protocols  are  the  foundation  of  communcation  networks  to  include  the  Internet. 

Internet  Protocol  (IP)  provides  a  connectionless  (think  opposite  of  circuit  switching)  data  transfer 
service  over  a  disparate  networks  by  passing  and  routing  data  packets.  The  IP  protocol  encapsulates  data 
packets  with  the  information  necessary  to  transport  data  packet  at  the  orign  and  unencapsulate  the  data 
packet  for  reassembly  with  other  packets  at  the  destination.  The  necessary  information  includes  origin  and 
destination  address  information,  data  packet  size,  and  the  date/time  the  packet  was  created.  Routers 
analyze  IP  information  to  determine  the  destired  packet  traffic  path,  further  fragment  the  packet  depending 
on  the  size  of  the  forwarding  network,  and  if  necessary  delete  the  packet. 

Transmission  Control  Protocol  (TCP)  performs  functions  to  increase  the  stability  and  reliability  of 
network  transmission  through  network  connection  error  checking.  A  TCP  header  is  encapsulated  into  data 
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entire  lane,  packets  from  the  same  transmission  enter  multiple  lanes  with  other  separated 
packets  and  reassemble  at  or  near  the  destination.  The  primary  advantages  of  packet 
switching  include  the  potential  (1)  to  maximize  a  lane’s  capacity  (bandwidth)  and  (2)  to 
transmit  mammoth  quantities  of  packets  to  geographically  dispersed  destinations.29  The 
disadvantage  of  packet  switching  is  the  difficulty  of  attributing  responsibility  of  a 
message  to  its  originator.  However,  the  ARPANet  research  community  was  small, 

on 

trusted,  and  well-known  within  the  community  of  researchers.  The  ARPANet  project 
community  only  consisted  of  three  exclusive  research  universities  of  known  and  trusted 

O  1 

engineers.  Therefore,  Roberts’s  project  challenges  were  void  of  information  security 
concerns,  but  centered  on  productivity  and  interoperability  of  dispersed  and  disparate 
information  systems. 

Next,  Roberts  decentralized  ARPANet’s  routing  of  data  packets.  Although 
decentralized  routing  adds  a  layer  of  user  anonymity,  it  increases  the  speed  and  reliability 
of  networked  computing.  ARPANet’s  routing  design  relied  upon  the  concept  of  shared 
responsibility  among  network  computers  (routers).  ~  Although  a  centralized  architecture 
is  easier  to  design  and  maintain,  centralization  also  breeds  single  points  of  catastrophic 
failure.  ARPANet  implemented  peer  routers,  then  called  Interface  Message  Processors, 
to  sort  and  route  packets  from  origins  to  destinations.  ARPANet  employed  matrix 

packets  that  perform  several  stability  and  reliablity  functions.  The  encapsulated  header  functions  include 
the  creation  of  a  connection  between  a  sender  and  receiver,  connection  acknowledgement  and  error 
checking,  release  of  the  connection  after  all  data  is  sent,  and  prioritization  of  data  packets  such  as  error 
checking  packets. 

29  Schiesel,  “AT&T's  Embrace  of  New  Technology  Signals  Next  Era.” 

30  DiSabatino,  “The  Wild  Wild  West.” 

31  Waltrip,  DARPA  and  the  Internet  Revolution. 

32  Ibid. 

33  Ibid. 
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architecture  with  adaptive  packet  switching  technologies  capable  of  determining  the  most 
efficient  transport  path  for  each  packet.  The  unintended  consequence  of  packet  switching 
technologies  is  the  presence  of  near  anonymous  Internet  activity  among  its  users.  In  fact, 
accurately  identifying  users  within  a  packet  switched  environment,  absent  the  use  of 
digital  signatures,  remains  nearly  impossible.34 

Pioneering  network  computer  engineers  designed  ARPANet  as  a  collaborative 
communications  platform  containing  efficient  and  interoperable  technologies. 
Interoperability  and  efficiency  were  the  prime  goals,  not  security,  during  the  development 
of  Internet  software  protocols.  Communications  protocols,  along  with  a  decentralized 
architecture,  contribute  to  the  anonymous  nature  of  Internet  travel.  Internet  designers 
valued  efficient  data  flow  over  information  confidentiality,  data  integrity  and  identity 
authentication.36  Considering  the  uncontested  security  environment  and  challenges  to 
efficiency  and  interoperability,  it  is  unreasonable  to  believe  early  network  pioneers  could 
have  foreseen  the  information  security  challenges  of  the  twenty-first  century.  The 
anonymous  character  of  Internet  communications  protocols  remains  a  challenge  to 
reducing  cybersecurity  risks  to  manageable  levels. 


34  Harry  Newton,  Newton's  Telecom  Dictionary,  ed.  Steve  Schoen,  25th  ed.  (New  York:  Flatiron 
Publishing,  2009),  370. 

A  digital  signature  is  the  network  equivalent  of  hand  written  signature  that  prevents  the  creator 
from  denying  authorship  of  the  source  doucment  and  assures  the  recipient  of  its  orign.  A  digital  signature 
is  an  electronic  signature  that  is  extremely  difficult  to  forge.  Receiving  a  message  with  a  digital  signature 
provides  an  extremely  high  level  of  confidence  that  the  document  has  not  been  altered  since  it  was  signed. 

35  Kamlesh  Bajaj,  The  Cybersecurity  Agenda:  Mobilizing  for  International  Action  (New  York: 
East  West  Institute,  2010),  http://www.ewi.info/cybersecuritv-agenda  (accessed  November  13,  2012),  6. 

36  Ibid. 

37  U.S.  Department  of  Defense,  Department  of  Defense  Strategy  for  Operating  in  Cyberspace 
(Washington  DC:  Government  Printing  Office,  July  2011),  2. 
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ARPANet  is  the  precursor  the  modem  interconnected  communications  network 


now  termed  the  Internet.  However,  cyberspace,  and  therefore  cybersecurity,  is  much 
broader  than  the  Internet.  Policy  often  mistakenly  equates  the  Internet  with  cyberspace. 
While  effective  Internet  security  is  necessary  to  reduce  cyber  vulnerabilities,  separating 
critical  infrastructure  information  systems  from  Internet  connection  does  not  guarantee 
freedom  from  cyber  threats.  The  section  below  examines  the  definition  of  cyberspace 
and  presents  the  author’s  revised  definition.  The  section  seeks  to  illuminate  incomplete 
cyberspace  definitions  that  misinform  cybersecurity  policy.  A  functional  definition 
provides  both  cybersecurity  strategist  and  national  policy  makers  a  contextual  foundation 
for  the  development  of  appropriate  policy. 

What  is  Cyberspace? 

The  United  States  must  communicate  and  operate  from  an  accurate  definition  of 
cyberspace  in  order  to  develop  effective  cybersecurity  of  critical  infrastructure  policy. 
Author  William  Gibson  first  coined  the  term  cyberspace  in  the  1982  science  fiction 

oo 

novel,  Burning  Chrome ,  by  combining  the  words  cybernetics  and  space.  In  1984, 
Gibson  popularized  the  term  in  his  following  novel  Neuromancer,  where  he  described 
cyberspace  as,  “A  graphic  representation  of  data  abstracted  from  banks  of  every 
computer  in  the  human  system.  Unthinkable  complexity.  Lines  of  light  ranged  in  the 
non-space  of  the  mind,  clusters  and  constellations  of  data.”  The  original  descriptions  of 
cyberspace  do  little  to  advance  the  policy  strategist  requirement  to  demystify  the  domain. 


38  Kamal  Jabbour,  50  Cyber  Questions  Every  Airman  Can  Answer  (Rome,  NY:  Air  Force 
Research  Laboratory,  2008),  3. 


39  Ibid. 
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However,  this  section  seeks  to  provide  a  clear  cyberspace  definition  that  informs  policy 
creation. 

This  section  presents  a  revised  cyberspace  definition  that  demystifies  the  nature  of  the 
global  domain.  In  War  and  Anti-War,  co-authors  Alvin  and  Heidi  Toffler  wrote,  “The 
way  we  make  war  reflects  the  way  we  make  wealth,  and  the  way  we  make  anti-war 
(diplomacy)  must  reflect  the  way  we  make  war.”40  All  societies,  whether  agrarian, 
industrial,  or  knowledge-based,  generate  instruments  of  power  reflective  of  their  wealth 
source.41  The  United  States  projects  its  diplomatic,  information,  military  and  economic 
instruments  power  from  the  superior  ability  to  create,  collect,  and  synthesize  massive 
knowledge  stores.  This  section  defines  cyberspace  as  an  engineered  domain  instead  of  a 
naturally  occurring  scientific  phenomenon  such  as  land,  sea,  or  air.  Many  policy  makers 
mistakenly  equate  cyberspace  with  the  Internet  and  categorize  it  as  a  naturally  occurring 
global  common.  Poor  definitions  drive  policy  makers  to  develop  misaligned  strategies 
incapable  of  achieving  policy  objectives.  This  study  presents  two  current  cyberspace 
definitions  and  suggests  a  revised  definition,  along  with  rationale  for  the  new 
characterization. 

In  Third  Wave,  the  Tofflers  accurately  predicted  the  emergence  of  twenty-first 
century  Information  Age  societies.42  Information  Age  societies  leverage  data  and 
computing  technologies  to  create  actionable  knowledge  capable  of  solving  complex  and 


40  Alvin  Toffler  and  Heidi  Toffler,  War  and  Anti-War.  (New  York,  NY:  Little,  Brown  & 
Company,  1993),  2. 


42  Nathan  Gardels,  "He  Has  Seen  the  Future,"  Financial  Times,  August  19,  2006, 
http://www.ft.eom/ems/s/0/af33b982-2dbd-l  ldb-93ad-0000779e2340.html#axzz2Lm4HX9cn  (accessed 

October  5,  2012). 
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evolving  problems.43  Cyberspace  is  the  collective  convergence  of  engineered 
technologies  that  fuel  post-industrial  Age  societies.  Information  and  computing 
technologies,  such  as  TCP/IP  and  underwater  fiber-optic  cabling,  underpin  Information 
Age  societies  and  knowledge-based  economies.  By  2015,  information  and  computing 
technologies  will  facilitate  the  connection  of  over  one  trillion  devices  to  the  Internet.44 
Additionally,  knowledge -based  economies  are  likely  exiting  the  Information  Age  and 
embarking  upon  an  unnamed  post-information  age  marked  by  the  convergence  of  biology 
and  computer  engineering.45  This  thesis  accepts  cyberspace  as  a  global  domain,  but  stops 
short  of  acknowledging  cyberspace  as  global  common  due  its  engineered  nature.  The 
engineered  nature  of  cyberspace  provides  credence  toward  the  pursuit  of  game  changing 
technological  solutions  to  cybersecurity  challenges. 

The  Department  of  Defense  (DoD)  leads  all  United  States  government  agencies  in 
its  understanding  and  attention  to  cyberspace.  The  2010  Quadrennial  Defense  Review 
Report  (QDR)  accurately  captured  the  essence  of  cyberspace  when  stating,  “Although  it 
is  a  man-made  domain ,  cyberspace  is  now  as  relevant  a  domain  for  DoD  activities  as  the 
naturally  occurring  domains  of  land,  sea,  air,  and  space....  The  Administration  will 


43  Ibid. 

44  Ayesha  Khanna  and  Parag  Khanna,  "Technology  Will  Take  on  a  Life  of  its  Own,"  Foreign 
Policy,  no.  188  (September/October,  2011):  2. 

In  201 1,  “Watson,”  the  famed  IBM  artificial  intelligence  (AI)  computer,  outperformed  both  Grand 
Jeopardy  Champions  on  national  television.“Watson”  exhibited  the  two  highest  markers  of  human 
intelligence:  contextual  understanding  and  language  comprehension.  Converging  technologies  such  as 
biotechnology  and  artificial  intelligence  will  change  entire  civilizations  to  include  their  security 
environment.  The  security  environment  will  undergo  chaos  while  advanced  societies  attempt  to  transition 
into  the  unnamed  post-information  Age  and  leave  lessor  developed  societies  behind. 

45  Quentin  Duroy,  "The  Place  of  Biotechnology  in  Modern  Civilization:  A  Veblenian  Analysis  of 
Public  Misgiving  Toward  Embryology  in  the  United  States,"  Journal  of  Economic  Issues  45,  no.  3 
(September  2011):  559. 

Early  indicators  of  the  an  impending  post-information  age,  characterized  by  the  convergence  of 
humans  and  technology  are  emerging.  For  example,  only  moral  objections  currently  stand  between 
biotechnology  and  successful  human  cloning. 
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continue  to  explore  the  implications  of  cyberspace’s  unique  attributes  for  policies 

regarding  operations  within  it.”46  However,  the  Department  of  Defense’s  cyberspace 

definition  (listed  below),  while  useful,  does  not  explicitly  identify  cyberspace’s  purpose 

and  places  an  inordinate  level  of  emphasis  upon  communications  networks. 

The  human  engineered  global  domain  within  the  information  environment 
consisting  of  the  interdependent  network  of  information  technology 
infrastructures,  including  the  Internet,  telecommunications  networks, 
computer  systems,  and  embedded  processors  and  controllers.47 

The  purpose  of  cyberspace  is  to  perform  valuable  information  functions.  An 

explicit  purpose  within  the  definition  provides  a  context  that  facilitates  the  ability  of 

national  security  policy  makers  to  think  critically  about  the  “why”  of  security  challenges. 

Unfortunately,  the  DoD  definition  mistakenly  elevates  interdependent  networks,  such  as 

the  Internet,  as  the  linchpin  of  cyberspace.  In  reality,  software  code  is  the  engine  that 

drives  every  information  and  computing  system  within  cyberspace,  including  the  Internet. 

The  Center  for  Technology  and  National  Security  Policy  (CTNSP),  an  arm  of  the 

National  Defense  University,  presents  an  effective  and  more  granular  definition  of 

cyberspace. 

A  global  domain  within  the  information  environment  whose  distinctive 
and  unique  character  is  framed  by  the  use  of  electronics  and  the 
electromagnetic  spectrum  to  create,  store,  modify,  exchange,  and  exploit 
information  via  interdependent  and  interconnected  networks  using 

a  o 

information  communication  technologies. 


46  U.S.  Department  of  Defense,  Quadrennial  Defense  Review  Report  (Washington  DC: 
Government  Printing  Office,  February  2010),  37.  (emphasis  added) 

47  U.S.  Department  of  Defense,  Department  of  Defense  Dictionary  of  Military  Terms  and 
Associated  Terms  (Washington  DC:  Government  Printing  Office,  November  2012),  77. 

48  Daniel  T.  Kuehl,  "From  Cyberspace  to  Cyberpower:  Defining  the  Problem,"  in  Cyberpower  and 
National  Security,  ed.  Franklin  D.  Kramer,  Stuart  H.  Starr,  and  Larry  K.  Wentz,  1st  ed.  (Dulles,  VA: 
Potomac  Books,  2009),  28. 
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The  CTNSP  definition  is  extremely  useful  because  it  highlights  the  purpose  of 
cyberspace  activity.  The  desire  and  ability  of  organizations  to  “create,  store,  modify, 
exchange  and  exploit  information”  provides  focus  to  cybersecurity  practitioners  and 
national  security  policy  makers.  Several  information  and  computing  technology  systems, 
beyond  Internet  technology,  work  collaboratively  to  “to  create,  store,  modify,  exchange, 
and  exploit  information.”  Therefore,  effective  cybersecurity  of  critical  infrastructure 
policy  is  not  equivalent  to  effective  Internet  security  policy.  Instead,  cybersecurity 
policy,  and  therefore  the  supporting  definitions,  should  focus  squarely  upon  information 
systems  and  the  software  codes  that  enable  valued  information  and  their  critical  industrial 
processes. 

A  cybersecurity  policy  that  overemphasizes  Internet  security  is  misguided.  In 
fact,  the  United  States  benefits  more  from  an  open  and  interoperable  Internet  than  any 
nation  in  the  world.  Economic  globalization  and  the  Arab  Spring  are  direct  descendants 
of  an  open  and  interoperable  Internet.  The  alternative  to  an  open  and  interoperable 
Internet  is  a  fragmented  information  environment,  in  which  nation  states  restrict  access  to 
advanced  technologies,  streaming  media,  and  sophisticated  software  under  the  guise  of 
national  security  interests.49  For  example,  in  201 1,  former  Egyptian  President  Hosni 
Mubarak’s  regime  closed  the  Egyptian  population’s  access  to  the  global  Internet 
following  massive  demonstrations.50  Journalists  and  activists  lost  the  ability  to 

49  U.S.  President,  International  Strategy  for  Cyberspace  (Washington  DC:  Government  Printing 
Office,  May  2011), 

http://www.whitehouse.gov/sites/default/files/rss  viewer/international  strategy  for  cyberspace.pdf 

(accessed  August  15,  2012),  8. 

50  Karson  K.  Thompson,  "Not  Like  an  Egyptian:  Cybersecurity  and  the  Internet  Kill  Switch 
Debate,"  Texas  Law  Review  90,  no.  2  (201 1):  465, 

http://search.proquest.com.ezproxy6.ndu.edu/docview/91601 1879?accountid=  12686  (accessed  October  4, 
2012). 
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communicate  globally  through  social  networking  sites  such  as  Twitter,  Facebook  and 

YouTube.51  The  world’s  information  superhighway,  the  Internet,  contains  exit  ramps  that 

lead  to  countless  global  assets  to  include  critical  infrastructures  within  the  United  States. 

This  study  supports  the  hardening  of  critical  off  ramps  that  lead  to  critical  information 

systems,  while  allowing  the  benefits  and  risks  of  an  open  and  anonymous  global 

information  superhighway  that  fuels  democratization  and  globalization.  Therefore,  an 

effective  cyberspace  definition  must  focus  on  information  systems,  of  which  the  Internet 

is  a  component,  that  are  underpinned  by  lines  of  software  code.  While  largely  accurate, 

neither  the  DoD  nor  the  CTNSP  definitions  conveys  the  essential  role  of  software  code  to 

cyberspace.52  Software  code,  not  the  Internet,  is  the  valued  asset  that  is  targeted  and 

defended  by  the  hacker  and  system  owner  respectively.  Software  code  is  the  genesis  of 

every  benefit,  vulnerability,  and  threat  within  the  information  environment  termed 

cyberspace.  Below  is  the  author’s  revised  cyberspace  definition: 

The  global  domain  within  the  information  and  communications 
environment  consisting  of  communication  links,  hardware,  and  software 
necessary  to  create,  modify,  store,  and  exchange  information  and  control 
computing  systems;  Software  code  is  acknowledged  as  the  central  element 
among  the  three  critical  components  that  direct  and  control  information 
and  computing  systems. 

The  revised  definition  contains  three  noteworthy  distinctions  and  serves  as  a 
foundation  for  this  thesis.  First,  the  definition  identifies  communication  links,  hardware, 
and  software  as  essential  components  of  cyberspace.  Poor  cyberspace  definitions  and 
metaphors  often  mistakenly  equate  cybersecurity  with  Internet  security.  The  Internet  is  a 
global  communication  network  comprised  of  many  small,  medium,  and  large 

51  Ibid. 

52 

~  Khanna  and  Khanna,  “Technology  Will  Take  on  a  Life  of  its  Own,”  2. 
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interconnected  networks.  Simply  stated,  the  Internet  is  a  networked  transport  path 
(superhighway)  for  varying  sized  information  packets  (cars,  motorcycles,  cargo  vehicles) 
to  reach  desired  hardware  (homes,  office  buildings)  that  contain  valued  information 
and/or  critical  information  systems  (Assets:  money,  families,  inventory)  controlled  by 
software  (people).  Although  responsible  cybersecurity  policy  must  address  Internet 
security,  cyberspace  is  much  broader  than  the  Internet.  Cybersecurity  is  not  wholly 
reliant  upon  effective  Internet  security.  The  Stuxnet  Case  Study  presents  a  scenario  in 
which  an  organized  hacker  attacked  critical  infrastructure  systems  unconnected  to  the 
global  Internet.  The  lack  of  Internet  connectivity  to  a  critical  information  source  or 
process  does  not  insulate  an  information  system  from  a  determined  adversary.  Therefore, 
equating  cyberspace  to  the  Internet  mistakenly  implies  the  sufficiency  of  Internet  security 
as  effective  cybersecurity. 

Second,  the  revised  definition  explicitly  states  the  purpose  of  cyberspace  as  the 
ability  “to  create,  modify,  store,  and  exchange  information  and/or  control  computing 
systems. ”  The  various  information  and  computing  functionalities  serve  as  the  purpose 
for  human  entry  into  cyberspace.  Understanding  functionalities,  and  therefore 
cyberspace  purposes,  provides  the  needed  insight  and  context  for  understanding  cyber 
actors,  tactics,  and  desired  effects.  Information  and  computing  technologies  leveled  the 
playing  field  for  underfunded  and  undersized  organizations.  Underfunded  groups 
produce  effects  formerly  reserved  for  nation-states  and  large  corporations.  For  example, 
compression  technologies  provide  individuals  and  small  groups  with  the  ability  to 
manipulate  data  inexpensively  to  achieve  an  effect.53 

53 

Newton,  Newton 's  Telecom  Dictionary,  304. 
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Compression  technologies  remove  indiscernible  information  from  a  picture,  video 
or  audio  file.  Without  compression  technology,  video  production,  streaming  media  and 
data  sharing  becomes  too  costly  for  all  except  well-funded  organizations.  For  example, 
the  February  2007  edition  of  Technical  Mujahid  contained  an  article  that  encouraged 
extremists  to  download  a  copy  of  an  encryption  program  "Secrets  of  the  Mujahideen" 
from  the  Internet.34  The  program  compressed  and  hid  messages  within  pixels  to  defeat 
steganalysis  attempts.55  As  more  societies  enter  the  Information  Age,  the  expansion  of 
individually  produced  and  manipulated  content  will  grow  exponentially.  In  fact, 
according  to  the  Internet  World  Statistics,  the  percentage  of  Internet  users  among  the 
world  population  grew  from  28.7%  (1.9  Billion)  in  June  2010  to  32.7%  (2.3  Billion)  in 
December  2011. 56  The  capability  to  create,  modify,  store,  and  exchange  information  for 
the  purpose  of  creating  a  strategic  effect  is  no  longer  the  sole  province  of  nation-states 
and  large  corporations. 


Audio  waves  are  the  most  commonly  known  type  of  compressed  information.  Data  intense  audio 
waves  from  the  recording  studio  are  squeezed  into  a  CD.  In  order  to  make  a  MP3  file  for  an  iPod,  the  file 
is  compressed  a  second  time.  The  compression  process  removes  audio  waves  that  are  indiscernible  to  the 
human  ear.  Lossless  techniques  compress  without  removing  detail;  lossy  compression  techniques  compress 
data  by  removing  detail.  During  the  compression  of  video  files,  bits  of  indiscernible  video  are  eliminate  by 
removing  detail,  color,  or  identical  successive  frames.  Compression  reduces  the  bandwidth,  memory  and 
processing  power  required  to  transmit,  store  and  encapsulate  a  file  respectively.  These  efficiencies  reduce 
the  costs  to  produce  and  share  large  amounts  of  content. 

54  Marthie  Grobler  and  Namosha  Veerasamy,  "Terrorist  use  of  the  Internet:  Exploitation  and 
Support  Through  ICT  Infrastructure,"  (lecture  presented  at  the  6th  International  Conference  on  Information 
Warfare  and  Security,  George  Washington  University,  Washington  DC,  March  17-18,  2011), 
http://researchspace.csir.co.za/dspace/handle/10204/5781.  (accessed  October  31,  2012),  6. 

55  Newton,  Newton's  Telecom  Dictionary,  1058. 

Steganography  is  a  method  for  encoding  hidden  messages  into  the  least  significant  bit  of  other 
files,  such  as  graphic,  audio  and  HTML  files,  which  have  large  amounts  of  unused  space.  Once  the  data  is 
encoded,  it  can  be  decoded  with  the  correct  password.  Steganalysis  is  the  art  and  science  of  detecting 
messages  hidden  using  steganography. 

56  Internet  World  Stat,  "Internet  World  Stat:  Usage  and  Population  Statistics  as  of  December  31, 
2011,"  Miniwatts  Marketing  Group,  http://www.internetworldstats.com/stats.htm  (accessed  November  1, 
2012). 


22 


Third,  the  revised  definition  highlights  software  code  as  the  “central  element 
among  the  three  critical  components  which  directs  and  controls  information  and 
computing  systems.”  Software  code  is  the  valued  prize  of  the  cyber  hacker.  The  valued 
information  or  computing  process  is  not  the  hardware  or  the  communication  link.  The 
most  successful  cyber  attacks  are  dedicated  to  finding,  exploiting,  disrupting  or 
destroying  unknown  vulnerabilities,  called  zero  day  vulnerabilities,  within  software. 
Software  represents  both  the  brains  of  computing  productivity  and  the  primary  source  of 
vulnerability.  While  most  cybersecurity  literature  focuses  upon  Internet  security,  there  is 

co 

no  defense  for  zero  day  software  vulnerability.  The  software  development  life  cycle 
favor  a  first  to  market  strategy  that  produces  “good  enough”  security  features,  which 
require  countless  subsequent  software  patches.  The  software’s  customer  base  discovers 
many  software  vulnerabilities  that  require  patches  and  upgrades.  The  customer  base 
supplements  the  software  developer’s  research  and  development  costs.59  Hackers  also 
research  and  target  zero  day  vulnerabilities  within  commercial  off  the  shelf  (COTS) 
software  such  as  Internet  Explorer,  Blackberry  Enterprise  Server,  and  mostly  widely  used 
operating  system  in  the  world,  Microsoft  Windows.  Leading  software  security  firms, 
McAfee,  Symantec,  Norton  and  Kaspersky,  reverse  engineer  malicious  software,  identify 
the  virus’  signature,  and  create  an  algorithmic  hash  for  identified  software  vulnerabilities. 


57 

Jeffrey  Carr,  Inside  Cyber  Warfare,  ed.  Mike  Loukides,  1st  ed.  (Sebastopol,  CA:  O'Reilly 
Media  Incorporated,  2009),  152. 

Zero  Day  Attack:  An  attack  against  a  software  vulnerability  that  is  unknown  to  the  software 
creator.  In  the  world  of  computer  security,  zero-day  vulnerabilities  signal  that  the  attacker  is  a  professional. 
Unknown  software  vulnerabilities  are  exploited  for  a  variety  of  purposes.  Knowledge  of  and  software 
directed  against  zero  day  vulnerabilities  sell  on  the  black  market  for  as  much  as  $100K. 

58  Ibid.,  158. 

59  David  Rice,  Geekonomics:The  Real  Cost  of  Insecure  Software,  (Boston,  MA:  Pearson 
Education,  2008),  Kindle  E-Book,  Chapter  2. (emphasis  added ) 
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Signature-based  anti-virus  software  is  only  effective  against  known  malicious  software 
code.  Therefore,  signature -based  anti-virus  software  is  only  effective  after  the  initial 
zero-day  exploit.60  The  software  development  industry  creates  inherently  unsecure 
software  code,  which  makes  traditional  cybersecurity  strategies  reactionary  at  best. 

The  manner  in  which  national  policy  defines  cyberspace  drives  the  development 
of  solutions  that  address  cybersecurity  challenges.  Cyberspace  definitions  and  metaphors 
must  acknowledge  the  role  that  software  plays  within  the  broader  context  of  information 
and  computing  technology  systems.  Equating  the  Internet  with  cyberspace  undermines 
the  nation’s  understanding  of  the  information  environment.  An  open  and  interoperable 
information  superhighway  is  necessary  to  fuel  the  growth  of  emerging  economic  and 
political  interests.  However,  malicious  actors  with  sophisticated  tactics  seek  to  penetrate 
valued  assets  to  include  United  States  critical  infrastructures.  The  section  below  details 
the  cyber  threat  facing  the  United  States’  critical  infrastructure. 

The  Cyber  Threat  Picture 

Verizon  Business  publishes  an  annual  Data  Breach  Investigations  Report  (DBIR) 
that  aggregates  cyberspace  intrusion  data  collected  from  several  international  law 
enforcement  agencies.  Participating  organizations  include  the  United  States  Secret 
Service,  the  Australian  Federal  Police,  the  Dutch  National  High  Tech  Crime  Unit,  the 
Irish  Reporting  and  Information  Security  Service,  and  the  United  Kingdom  Police  Central 


60  Shon  Harris,  CISSP:  All  in  One  Exam  Guide,  ed.  Timothy  Green,  Joe  Hoofnagle,  and  Clement 
Dupuis,  4th  ed.  (New  York:  McGraw-Hill,  2008),  1001 . 
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e-Crime  Unit.61  The  2012  report  chronicled  855  cyber  intrusions  that  included  over  170 
million  compromised  information  records.62  The  2012  study  represents  the  second 
highest  level  of  data  loss  since  the  initial  2004  report.61  The  DBIR  employs  an  excellent 
threat  model,  titled  the  Verizon  Enterprise  Risk  and  Incident  Sharing  (VERIS)  framework 
that  depicts  cyber  actors,  targets,  tactics,  and  effects  within  a  multi-dimensional 
spreadsheet.  The  VERIS  framework  assists  in  reducing  the  inherent  complexity  of  cyber 
threats.  The  VERIS  framework  is  extremely  useful  and  can  be  used  to  record  intrusion 
effects  within  servers,  networks,  user  devices,  offline  data,  and  people.  The  first 
dimension  consists  of  actors  and  hackers  that  carry  out  malicious  cyber  behavior.  The 
second  dimension  includes  the  tactics,  techniques  and  procedures  (TTPs)  employed  by 
hackers.  Finally,  the  third  dimension  includes  the  range  of  a  hacker’s  desired  objectives 
and  effects. 

The  delineation  among  the  various  cyber  hackers  is  largely  drawn  along  the  lines 
of  intent  and  motivation.  Additionally,  cyber  hackers  operate  behind  the  veil  of 
anonymity  that  creates  an  asymmetric  cybersecurity  environment.  Within  cyberspace, 
the  defenders  risk  and  cost  severely  outweigh  those  of  the  attacker.  For  example,  a  low 
cost  USB  device  containing  one  single  malicious  code  is  capable  of  disrupting  an 
enterprise  data  center.  However,  the  data  center  owner  assumes  great  risk  and  cost  to 
defend  and  harden  the  information  assets  against  a  wide  variety  of  cyber  tactics, 
techniques  and  procedures.  While  accurate  attribution  of  cyber  incidents  to  responsible 

61  Verizon  Business,  2012  Data  Breach  Investigation  Report  ( Ashburn:  Verizon  Business,  2012), 
http://www.verizonbusiness.com/resources/reports/rp  data-breach-investigations-report-2012  en  xg.pdf 

(accessed  September  21,  2012). 
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parties  is  essential  to  an  effective  cybersecurity  policy,  cyber  intrusion  investigations 
should  begin  with  an  understanding  of  the  actor’s  intent  and  motivations.  Table  1, 
Hacker  Motivations,  describes  the  most  common  malicious  cyber  actors. 


26 


Actors/Hackers64 

Motivations  and  Primarv  Tactics 

Nation  States 
(Foreign 
Intelligence 
and/or  Militaries) 

Nations  conduct  information  gathering,  espionage,  and  attacks  against 
critical  infrastructures.  According  to  the  GAO,  several  nations  are 
aggressively  working  to  develop  information  warfare  doctrine, 
programs,  and  capabilities.6'1  A  growing  array  of  state  adversaries 
increasingly  target  enterprise  data  centers,  communication 
infrastructures,  computer  systems,  firmware,  and  embedded  processors 
within  critical  industries  for  exploitation,  disruption  or  destruction.66 

Organized 

Criminals 

Criminal  groups  penetrate  information  systems  to  conduct  theft,  fraud, 
and  extortion.  Corporate  spies  leverage  similar  tactics  and  pose  a 
threat  to  the  United  States  through  their  ability  to  acquire  data  gained 
from  extensive  research  and  development.67 

Hacktivists 

Hacktivists  are  motivated  by  political  objectives  and  target  publically 
accessible  Web  pages  or  email  servers  in  order  to  advance  their 
message  or  subdue  an  adversary’s  information  message.  Hacktivists 
are  likely  to  overload  individual  email  accounts  and  enterprise  email 
servers  and/or  flood  email  accounts  with  political  messages.68 

Terrorists 

Terrorists  are  currently  less  developed  in  computer  network  capabilities 
than  nation  states  and  are  likely  to  target  critical  infrastructure  to  cause 
mass  casualties,  weaken  the  U.S.  economy,  and  damage  public 
confidence.69 

Table  1:  Hacker  Motivations 


The  quantity  and  sophistication  of  cyber  attack  tactics  continues  to  grow  at  an 
alarming  rate.  In  fact,  the  exact  quantity  of  cyber  attack  variants  is  unknown  due  to  an 


64  Robert  O'Harrow,  "Hacking  Tool  Kits,  Available  Free  Online,  Fuel  Growing  Cyberspace  Arms 
Race."  Washington  Post,  November  13,  2013,  http://www.washingtonpost.com/investigations/hacking- 
tool-kits-available-free-online-fuel-growing-cyberspace-arms-race/20 12/11/1 2/1  add77a4-2 1  e6- 1 1  e2-ac85- 

e669876c6a24  story. html?wpisrc=emailtoafriend  (accessed  November  15,  2013). 

Within  this  thesis,  the  terms  actor  and  hacker  are  used  interchangably.  Hackers  are  motivated  by 
various  factors  to  include  financial,  political,  prestige,  or  espionage.  Hacking  once  required  high  levels  of 
skill.  Now,  hackers  can  purchase  or  download  sophisticated  attack  scripts  from  the  Internet  and  launch 
them  against  victim  sites. 

65  Government  Accounting  Office,  Cybersecurity:  Threats  Impacting  the  Nation,  by  Gregory 
Whilshuen  (Washington  DC:  Government  Printing  Office,  2012),  3-13. 
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67  Ibid. 
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69  Government  Accounting  Office,  Defense  Department  Cyber  Efforts:  DoD  Faces  Challenges  in 
its  Cyber  Activities,  by  David  D'Agostino  and  Gregory  Wilshusen  (Washington  DC:  Government  Printing 
Office,  2011),  13. 
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explosion  of  pre-packaged  illicit  cyber  attack  kits  for  sale  on  the  global  hacker  black 
market.  H.D.  Moore,  Chief  Security  Officer  for  Rapid7,  a  leading  manufacturer  of 
vulnerability  management  and  penetration  testing  software,  states  that  pre-packaged 
malicious  software  routinely  sells  for  up  to  $100, 000. 71  The  tactics  available  to  software 
programmers  and  malicious  actors  are  infinite.  Table  2,  Hacker  Tactics,  Techniques  and 
Procedures,  includes  the  most  common  tactics  employed  in  cyberspace. 


70  O'Harrow,  “Hacking  Tool  Kits,  Available  Free  Online,  Fuel  Growing  Cyberspace  Arms 

Race”. 

71  Joseph  Gross  Michael,  "A  Declaration  of  Cyberwar,"  Vanity  Fair,  April  2011, 
http://ezproxy6.ndu. edu/login?url=http://search.proquest.com/docview/919475999?accountid=12686 

(accessed  November  19,  2012). 
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Tactics 

Description 

Malware 

(Malicious 

Software) 

Malware  is  typically  used  as  a  catch-all  term  to  refer  to  any  software 
designed  to  cause  damage  to  a  single  computer,  server  or  computer 
network.  Malware  is  the  most  common  cyber  tactic.  In  fact,  nearly  all 
other  TTPs  are  designed  to  gain  access  to  an  information  system  for  the 
purpose  of  inserting  a  form  of  malware.  Malware  can  take  many  forms 
to  include  rootkit,  Trojan  Horse,  spyware,  adware,  virus,  and  worm.  ~ 

Denial  of 

Service  (DoS) 
and  Distributed 
Denial  of 

Service 

(DDoS) 

Sending  malformed  packets  to  a  targeted  system  in  order  to  saturate 
and  ultimately  exhaust  the  target’s  network  bandwidth  or  computing 
resources.  The  DDoS  is  the  logical  extension  of  DoS  attack.  DDoS 
employs  several  (up  to  thousands)  computers  to  saturate  and  exhaust 
enterprise  servers  until  the  system(s)  or  services,  such  as  a  web  server, 

70 

no  longer  function. 

Social 

Engineering 

Employs  behavior  science  and  manipulation  to  convince  users  to 
provide  unauthorized  access  to  information  systems.  Users  often 
unknowingly  reveal  sensitive  information  necessary  to  carry  out 
specific  actions.  Users  are  routine  targets  for  information  gathering  and 
often  referred  to  as  the  weakest  link  in  computer  security.74 

Phishing 

A  form  of  social  engineering  in  which  the  hacker  attempts  to  acquire 
sensitive  information  such  as  username  and  passwords  by 

7c 

masquerading  as  a  trustworthy  entity  in  an  electronic  communication. 

Backdoor 

A  covert  means  to  bypass  security  controls  by  inserting  unauthorized 
access  into  procured  software  or  hardware.  Tight  supply  chain 
management  standards  are  needed  to  avoid  the  presence  of  backdoors 
during  server  and  application  life  cycle  development  and  acquisition.76 

Eavesdropping 
and  War 

Driving 

Unauthorized  network  sniffers,  often  while  driving  an  automobile, 
eavesdrop  on  wireless  connections  to  gain  and  exploit  critical 

77 

information  and/or  passwords. 

Pharming 

An  attack  that  redirects  traffic  from  an  authorized  website  to  an 
unauthorized  website.  Pharming  uses  a  variety  of  methods  to  redirect  a 

70 

user  to  a  spoofed  website. 

Table  2:  Hacker  Tactics,  Techniques  and  Procedures 
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Finally,  cyber  tactics  produce  multiple  information  system  effects  that  facilitate 
the  actor’s  ability  to  deceive,  disrupt  or  destroy  software.  Confidentiality,  Integrity,  and 
Availability  (CIA  Triad)  represent  the  three  traditional  pillars  of  the  Information  Security. 
All  security  controls  and  safeguards  are  implemented  to  address  vulnerability  among  one 
or  more  of  these  principles.  Cybersecurity  practitioners  measure  all  cyber  risks,  threats, 
and  vulnerabilities  against  their  potential  for  compromise  by  one  or  all  of  the  CIA 
principles.  The  VERIS  incident  framework  adopts  the  “Parkerian  Hexad,”  which  pairs 
three  additional  effects  with  the  three  traditional  effects.  The  pairings  result  in  a 
complete  and  granular  framework  that  reduces  the  complexity  and  difficulty  of 
describing  cyber  effects.  Possession,  authenticity,  and  utility  are  paired  with 

o  1 

confidentiality,  integrity  and  availability  respectively.  Table  three,  Cyber  Attack 
Effects,  examines  the  combinations  of  a  hacker’s  desired  cyber  attack  effects. 


79  Harris,  CISSP:  All  in  One  Exam  Guide,  59-60. 

"'Adam  Beautement  and  David  Pym,  "Structured  Systems  Economics  for  Security  Management" 
(Ninth  Workshop  on  the  Economics  of  Information  Security  (WEIS),  Harvard  University,  June  7-8,  2010), 
2. 

81  The  extended  framework  is  sometimes  referred  to  as  the  “Parkerian  Hexad,”  after  the  designer  , 
Donn  Parker. 
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Effect 

Description 

Confidentialitv/Possession 

Confidentiality 

Ensures  that  the  necessary  level  of  secrecy  is  enforced  at  each  stage  of 
data  processing  and  prevents  unauthorized  disclosure.  The  necessary 
level  of  secrecy  should  prevail  while  data  resides  on  enterprise  systems, 
user  devices,  and  transmitting  the  network. 

Possession 

The  degree  to  which  the  system  owner  retains  possession  and  control  of 
information  or  information  systems  and  has  the  ability  to  prove  such 
control.  The  absence  of  possession  or  control  indicates  the  system 
owner  lacks  exclusive  custody  and  control  over  information.  The 
concept  of  endangerment  (exposure  to  potential  compromise)  is 
associated  with  this  attribute  whereas  actual  observation  or  disclosure  of 

oo 

data  falls  under  confidentiality. 

Intesritv/Authenticitv 

Integrity 

The  assurance  of  accuracy  and  the  prevention  of  unauthorized 
modification  to  information  and  information  systems.  The  protection  of 
information  systems  and  networks  from  outside  interference  and 

84 

contamination  is  essential  to  the  integrity  of  stored  information. 

Authenticity 

The  validity,  conformance,  correspondence  to  intent,  and  genuineness 
of  the  information  asset  or  data.  Loss  of  authenticity  includes 
misrepresentation,  repudiation,  and/or  misappropriation.  Information 

oc 

must  be  valid,  genuine,  and  must  conform  to  its  designed  intent. 

Availabilitv/Utilitv 

Availability 

Ensures  timely  access  to  data  and  resources  to  authorized  individuals. 
Systems  and  networks  should  provide  adequate  capacity  so  that 
productivity  is  not  negatively  affected.  Single  points  of  failure  should 
be  avoided,  back  up  measures  taken,  and  the  negative  effects  from 
environmental  factors  prevented.  Availability  is  essentially  “Up-Time” 
of  a  system.  86 

Utility 

The  usefulness  or  fitness  of  the  asset  (or  information)  for  its  intended 
purpose.  Loss  of  utility  includes  conversion  to  a  less  useable  or 
unintended  form.  Utility  is  distinguished  from  availability  in  that  the 
data  is  still  present  but  no  longer  as  useable  or  fit  for  its  intended 

87 

purpose. 

Table  3:  Cyber  Attack  Effects 
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The  multi-dimensional  cyber  threat  is  complex  and  requires  an  understanding  of 
cyber  actors,  tactics,  and  desired  effects.  The  range  of  motives  should  point  cybersecurity 
practitioners  to  focus  on  the  most  likely  cyber  tactics.  However,  cyber  strategists  and 
policy  makers  must  calculate  the  potential  effects  of  the  most  dangerous  scenarios 
capable  of  rivaling  a  national  disaster.  Stuxnet  is  that  type  of  catastrophic  event. 

Although  Stuxnet  has  yet  to  galvanize  the  national  will,  the  malicious  code  is  certainly  a 
precursor  to  impending  events. 


Case  Study:  Stuxnet 


I  know  that  when  people  think  of  cybersecurity  today,  they  worry  about  hackers  and 
criminals,  who  prowl  the  Internet,  steal  people’s  identities,  steal  sensitive  business 
information,  [and]  steal  even  national  security  secrets.  Those  threats  are  real  and  they 
exist  today.  But  the  even  greater  danger  -  the  greater  danger  facing  us  in  cyberspace 
goes  beyond  crime  and  it  goes  beyond  harassment.  A  cyber  attack  perpetrated  by  nation 
states  or  violent  extremists  groups  could  be  as  destructive  as  the  terrorist  attack  on  9/11. 

Such  a  destructive  cyber  terrorist  attack  could  virtually  paralyze  this  nation. 

-  Sec.  of  Defense  Leon  Panetta,  October  2012. 88 

Scientific  research  concludes  that  Stuxnet’ s  primary  objective  was  to  sabotage 

Iranian  uranium  enrichment  processes  by  reprogramming  centrifuges  to  operate  outside 

on 

of  specified  speed  boundaries.  Whether  Stuxnet  becomes  a  barely  noticed  prodromal 
event  to  a  future  catastrophic  crisis  or  a  watershed  Sputnik  moment  that  spurs  the  national 
will  toward  innovative  solutions  is  yet  to  be  determined.  However,  this  Stuxnet  case 
study  reveals  the  potential  dangers  to  the  United  States’  critical  infrastructure  information 
environments.  Stuxnet,  a  self-replicating  computer  virus,  surgically  targeted  the  Iranian 


8S  Leon  Panetta,  Remarks  by  Secretary  of  Defense  Leon  Panetta  to  the  Business  Executives  for 
National  Security  (Washington,  DC:  Office  of  the  Secretary  of  Defense,  October  11,  2012), 
http://www. defense.  gov/Transcripts/Transcript.aspx?TranscriptID=5 136;  (accessed  November  19,  2012). 

89  Eric  Chien,  Nicolas  Falliere,  and  Liam  Murchu,  W32.  Stuxnet  Dossier:  Version  1.4  (Cupertino, 
CA:  Symantec  Corporation,  2011),  47. 
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nuclear  program  and  delayed  their  uranium  enrichment  capability.90  Stuxnet  is  the  first 
clear  evidence  of  an  ultra-sophisticated  malware  directed  against  a  nation  state’s 
industrial  infrastructure.91  Symantec,  a  global  leader  in  software  security,  concluded  its 
comprehensive  report  on  Stuxnet  by  stating,  “The  real-world  implications  of  Stuxnet  are 
beyond  any  threat  we  have  seen  in  the  past.  Despite  the  exciting  challenge  in  reverse 
engineering  Stuxnet  and  understanding  its  purpose,  Stuxnet  is  the  type  of  threat  we  hope 

•  QD 

to  never  see  again.”  This  section  presents  a  case  study  examination  of  the  Stuxnet 
cyber  attack  in  order  to  illuminate  the  rising  and  genuine  threat  to  critical  infrastructures. 
Stuxnet  executed  four  major  technological  functions:  (1)  gain  physical  access  to  valued 
information  systems,  (2)  operate  nearly  undetected,  (3)  exploit  Microsoft  Windows 
Operating  System  (OS)  vulnerabilities,  and  (4)  disrupt  uranium  program  logic  controllers 
(PLC).93 

First,  traditional  information  security  access  control  measures  proved  ineffective 
against  a  sophisticated  and  determined  attacker.  Stuxnet’s  perpetrator  introduced  at  least 
three  universal  serial  bus  (USB)  devices,  containing  three  iteratively  lethal  versions,  into 
five  Iranian  industrial  environments  over  a  ten  month  period.94  Industrial  computing 
environments  typically  air-gap  or  physically  separate  essential  computing  systems  from 


90Chien,  Falliere,  and  Murchu,  W32.  Stuxnet  Dossier:  Version  1.4,  11. 

91  "The  Stuxnet  Worm,"  Chemical  Engineering  118,  no.  6  (June  2011), 
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(accessed  November  19,  2013). 

92  Chien,  Falliere,  and  Murchu,  W32.  Stuxnet  Dossier:  Version  1.4 ,  55. 

93  Michael,  “A  Declaration  of  Cyberwar.” 

PLC:  a  small  computer  that  controls  industrial  machinery.  PLCs  regulate  the  critical  functions  of 
modern  industrial  environments.  PLCs  are  used  for  countless  computer  operated  industrial  purposes  to 
include,  control  pressure  within  water  pipes,  spinning  speeds  of  uranium  centrifuges,  and  timing  of  traffic 
lights. 

94  Michael,  “A  Declaration  of  Cyberwar.” 
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the  global  Internet.95  However,  as  economies  globalize,  air-gapping  industrial  systems 
from  the  Internet  has  become  extremely  inconvenient  to  maintain.  Software  vendors 
reduce  costs  and  improve  just  in  time  software  maintenance  by  replacing  traditional 
courier  methods  with  online  software  downloads.  Industrial  factories  must  connect 
critical  systems  to  the  Internet  in  order  to  take  advantage  of  faster  supply  chain 
management  processes.96  Global  Internet  access  provides  the  most  convenient  and  cost 
effective  method  to  obtain  downloadable  software  patches.  Introducing  infected 
universal  serial  bus  (USB)  storage  devices,  often  coupled  with  social  engineering  tactics, 
is  an  effective  strategy  to  infiltrate  air-gapped  systems.  On  three  occasions,  between  June 
2009  and  May  2010,  Stuxnet  took  direct  aim  at  specific  organizations  within  the  Iranian 

no 

industrial  infrastructure.  However,  June  17,  2010  marks  the  date  of  Stuxnet’s  public 
discovery.99  Therefore,  Stuxnet  operated  undetected  through  thousands  of  computers  for 
an  entire  year  before  a  small  Belarus  cybersecurity  firm  uncovered  the  zero  day  malicious 
code.100  Administrative,  physical,  and  technical  access  control  measures  failed  to  prevent 
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VirusBlookAda,  a  small  Belurus  cybersecurity  firm,  was  the  first  to  discover  the  malicious  code 
within  their  Iranian  client’s  computing  system. 
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Stuxnet’s  propagation  into  Iranian  digital  networks.101  Once  inside  the  industrial 
computing  environment,  Stuxnet  spread  across  the  local  area  network  (LAN)  on  a  self- 
guided  seek  and  disrupt  mission. 

Second,  Stuxnet  contained  an  unprecedented  technological  capability  to  conceal 

its  presence.  Malicious  code  often  contains  forged  digital  signatures  to  deceive 

authentication  servers  and  host  computers  into  a  trust  relationship.  However,  Stuxnet 

102 

contained  two  authentic  digital  signatures  that  allowed  the  worm  instant  anonymity. 
The  authentic  digital  signatures  provided  Stuxnet  with  unquestioned  and  unimpeded 
access  to  Iranian  industrial  intranet.  No  other  malicious  code  has  ever  employed  even 

i  rn 

one  authentic  digital  signature.  The  authentic  digital  certificates  established  trust 
relationships  with  disparate,  but  connected,  computer  systems.  One  computing  system 
monitored  and  displayed  centrifuge  levels  while  another  computing  system  directed 
actual  industrial  functions. 

Third,  Stuxnet  exploited  the  Microsoft  Windows  Operating  System  within  the 
supervisory  control  and  data  acquisition  (SCAD A)  system  that  allowed  computers  to 
accurately  monitor  and  display  centrifuge  performance.104  In  the  weeks  following 
Stuxnet’s  discovery,  Microsoft  collaborated  with  software  giants,  Kaspersky  and 
Symantec,  to  develop  mitigation  and  clean  up  strategies.  The  security  teams’  analysis 
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revealed  Stuxnet  exploited  an  unprecedented  four  zero  day  vulnerabilities.105  Most 
information  computer  security  firms  view  the  exploitation  of  one  zero  day  vulnerability 
the  work  of  an  expert  hacker.106  Stuxnet  caused  monitoring  computers  to  display 
inaccurate  centrifuge  speed  levels,  while  other  Stuxnet  functions  worked  to  disrupt 
centrifuge  critical  functions.  Stuxnet  simultaneously  prevented  monitoring  systems  from 

1 07 

accurately  reporting  abnormal  centrifuge  levels. 

Fourth,  Stuxnet  reprogrammed  Iranian  uranium  centrifuges  to  operate  beyond 
specified  speed  boundaries.108  Stuxnet  contained  over  seventy  software  instructions, 
termed  function  blocks,  capable  of  altering  a  programmable  logic  controller’s  (PLC) 
intended  function.109  Programmable  logic  controllers  are  specialized  computers  that 
control  industrial  machinery  and  regulate  critical  industrial  functions.110  Stuxnet 
included  rogue  function  blocks  designed  to  supplant  the  genuine  function  blocks 
contained  within  a  specific  Siemens  model  PLC,  the  Siemens  S57.  The  Iranian  nuclear 
facility,  near  Natanz,  widely  employed  Siemens  S57s  to  control  speed  rates  of  uranium 
centrifuges.11 1  In  2009,  well  before  Stuxnet’s  public  discovery,  international  inspectors 
discovered  roughly  a  thousand  Natanz  gas  centrifuges  were  inoperable.  ~  Additionally, 


10  Michael,  “A  Declaration  of  Cyberwar.” 

106  Ibid. 

107  Ibid. 

108  Chien,  Falliere,  and  Murchu,  W32.  Stuxnet  Dossier:  Version  1.4,  43. 

109  “  The  Stuxnet  Worm.” 

110  Ibid. 

PLCs  are  used  for  countless  computer  operated  industrial  purposes  to  include  control  pressure 
within  water  pipes,  spinning  speeds  of  uranium  centrifuges,  and  timing  of  traffic  lights. 
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the  Symantec  report  concludes  that  nearly  seventy  percent  of  the  one  hundred  thousand 


113 

infected  computer  systems  occurred  within  Iranian  industrial  environments. 

The  Stuxnet  worm  maintained  surreptitious  and  repudiative  characteristics  while 
achieving  the  disruptive  and  purposeful  effects  of  a  cruise  missile.  Stuxnet  is  the  first 
worm  to  exploit  four  zero-day  vulnerabilities,  contain  two  authentic  digital  certificates, 
and  inject  code  into  industrial  control  systems  while  concealing  data  from  monitoring 
stations.114  Although  Stuxnet  broke  all  the  norms  for  malicious  code,  it  has  yet  to  thrust 
national  policy  makers  or  the  American  public  into  intellectual  crisis.  However, 
Secretary  of  Defense  Leon  Panetta’s  tone  and  tenor  during  a  2012  speech  relayed  the 
strategic  implications  of  Stuxnet  when  he  stated,  “As  director  of  the  CIA  and  now 
Secretary  of  Defense,  I  have  understood  that  cyber  attacks  are  every  bit  as  real  as  the 
more  well-known  threats  like  terrorism,  nuclear  weapons  proliferation  and  the  turmoil 
that  we  see  in  the  Middle  East.”115  Stuxnet  is  of  such  complexity,  not  unlike  nuclear 
weapons,  that  few  actors  possess  the  resources  necessary  to  produce  a  similar  threat.116 
By  comparison,  Conficker,  malware’s  previous  heavyweight  champion,  contained 
software  code  one-twentieth  the  size  and  lacked  Stuxnet’ s  functional  complexity. 
However,  the  costs  associated  with  advanced  technologies  continue  to  lower  over  time 
and  the  implications  of  a  Stuxnet-like  attack  against  an  electrical  grid  or  water 
purification  systems  are  too  catastrophic  to  continue  along  the  natural  science  path  of  the 


113  Chien,  Falliere,  and  Murchu,  W32.  Stuxnet  Dossier:  Version  1.4 ,  7. 

114  Ibid. 

1 15  Panetta,  Remarks  by  Secretary  of  Defense  Leon  Panetta. 

116  Michael,  “A  Declaration  of  Cyberwar.” 
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past  twenty  years.  As  costs  lower,  global  actors  will  seek  to  replicate  Stuxnet  in  both 


purpose  and  complexity.117 


117  Many  investigative  journals  and  security  analysts  point  to  the  United  States  and/or  Israel  as  the 
Stuxnet  creator.  However,  the  Symantec  report  indicates  that  only  a  state  sponsored  agency  is  capable  of 
developing  such  complex  malicious  code,  but  the  report  stops  short  of  confidently  implicating  an  attacker. 
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CHAPTER  2:  CYBER  SPACE  POLICY  REVIEW 


This  chapter  examines  nearly  two  decades  of  cybersecurity  policy.  The  policy 
research  reveals  two  flawed  theories,  first  established  by  the  Clinton  Administration,  that 
continue  to  drive  the  United  States  cybersecurity  strategy.  The  United  States 
cybersecurity  paradigm  rests  upon  the  Incremental  Progress  theory  and  the  Self- 
Regulation  theory.  Three  principle  beliefs  underpin  the  theories  that  shape  United  States 
cybersecurity  debate.  The  beliefs  that  (1)  voluntary  information  sharing  between  industry 
and  government  is  more  effective  than  mandated  information  sharing,  (2)  economic 
market  forces  inherently  drive  private  owners  of  critical  infrastructures  toward 
cybersecurity  best  practices,  and  (3)  incremental  cybersecurity  improvement  is  more 
effective  than  revolutionary  changes.1 

The  foundational  cybersecurity  principles  are  reminiscent  of  the  first  century 
Ptolemaic  theory  of  astronomy  that  purported  the  Earth  as  both  stationary  and  the  center 
of  the  universe.  Initially,  the  Ptolemaic  theory  successfully  predicted  the  positioning  of 
known  planetary  objects."  However,  as  civilizations  advanced  and  observation  tools 
improved,  the  Ptolemaic  theory  failed  to  resolve  the  increasing  quantity  of  orbital 
anomalies.  By  the  sixteenth  century,  a  contentious  intellectual  crisis  resulted  in  the 
Copernican  theory  of  astronomy  that  codified  the  sun  as  the  center  of  the  universe. 
Likewise,  successive  United  States  Presidential  Administrations  cling  to  an  outdated 
paradigm  that  fails  to  resolve  the  challenges  within  an  increasingly  dangerous 

1  President's  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
Americas  Infrastructure  (Washington,  DC:  Government  Printing  Office,  October  1997),  23. 

2  Thomas  S.  Kuhn,  The  Structure  of  Scientific  Revolutions,  3rd  ed.  (Chicago:  The  University  of 
Chicago  Press,  1962),  68. 

3  Kuhn,  The  Structure  of  Scientific  Revolutions,  69. 
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cybersecurity  environment.  However,  the  United  States  does  not  have  the  luxury  of 
waiting  fifteen  hundred  years  to  abandon  its  flawed  cybersecurity  paradigm. 

This  chapter  divides  the  historical  examination  of  cybersecurity  of  critical 
infrastructure  into  three  historical  periods:  The  Second  Clinton  Administration  (1996- 
2000),  The  Bush  Administrations  (2001-2008),  and  The  First  Obama  Administration 
(2009-2012).  The  review  examines  Presidential  Directives,  Executive  Orders,  policy 
documents  and  Congressional  legislation. 

The  Second  Clinton  Administration  (1996-2000) 

The  Information  Age  ushered  a  new  wealth  system  of  globalization  that  forced 
United  States’  policy  makers  to  evaluate  emerging  threats  to  national  security.4  Although 
the  United  States’  policy  for  securing  information  systems  dates  back  to  twentieth 
century  radiotelegraphs,  sustained  and  formal  emphasis  in  the  modem  Information  Age 
began  in  1996  with  the  issuance  of  Presidential  Executive  Order  13010. 5  On  July  15, 
1996,  Presidential  Executive  Order  13010  codified  new  language  within  the  national 
security  environment,  initiated  the  United  States  cybersecurity  of  critical  infrastructure 
paradigm,  and  created  the  President’s  Commission  on  Critical  Infrastructure  Protection. 
Presidential  Executive  Order  13010  formally  acknowledged  the  reality  that  the 
preponderance  of  national  critical  infrastructure  ownership  resides  within  the  commercial 
sector.  As  of  2012,  private  sector  ownership  of  United  States’  critical  infrastructure 


4  Tom  Leithauser,  "CRS  Report  Paints  Complex  Picture  of  Cybersecurity  Policy  Landscape," 
Cybersecurity  Policy  Report  (December  201 1):  1, 

http://search. proquest. com.ezproxy6.ndu.edu/doc view/920195648?accountid=  12686  (accessed  February 
24,2013). 

5  Executive  Order  no.  13010,  "Critical  Infrastructure  Protection,"  Federal  Register  61,  no.  138, 
title  3  (July  15,  1996),  http://www.gpo.gov/fdsys/pkg/FR-1996-07-17/pdf/96-18351.pdf  (accessed  October 
27,  2012). 
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exceeded  eighty  percent.6 7  Privately  owned  critical  infrastructures,  to  include  electrical 
grids,  oil  and  gas  pipelines,  and  water  treatment  facilities,  are  national  capabilities  that 
underpin  the  United  States’  economy,  social  structures,  and  national  defense.  Executive 
Order  13010  was  the  first  national  policy  document  to  define  cyber  threats  within  the 
context  of  national  critical  infrastructure.  Executive  Order  13010  definition  of  critical 
infrastructure  is  listed  below: 

Critical  infrastructures  are  certain  national  infrastructures  so  vital 
that  their  incapacity  or  destruction  would  have  a  debilitating  impact  on  the 
defense  or  economic  security  of  the  United  States. 

These  critical  infrastructures  include  telecommunications, 
electrical  power  systems,  gas  and  oil  storage,  transportation,  banking  and 
finance,  transportation,  water  supply  systems,  emergency  services 
(including  medical,  police,  fire,  and  rescue),  and  continuity  of 
government. 

Because  many  of  these  critical  infrastructures  are  owned  and 
operated  by  the  private  sector,  it  is  essential  that  the  government  and 
private  sector  work  together  to  develop  a  strategy  for  protecting  them  and 

' 7 

assuring  their  continued  operation. 


Presidential  Executive  Order  13010  established  the  President’s  Commission  on  Critical 
Infrastructure  Protection  to  accomplish  the  following  tasks: 

1.  Assess  the  scope  and  nature  of  vulnerabilities  and  threats  to  critical 
infrastructures. 

2.  Determine  the  legal  and  policy  issues  contained  within  efforts  to 
protect  critical  infrastructures;  How  can  such  issues  be  addressed? 

3.  Recommend  a  comprehensive  national  policy  and  implementation 
strategy  for  protecting  critical  infrastructures  from  physical  and  cyber 
threats  and  assure  their  continued  operation. 


6  Telecommunications  Industry  Association,  "Securing  the  Network:  Cybersecurity 
Recomendations  for  Crtical  Infrastructure  and  the  Global  Supply  Chain,"  Telecommunications  Industry 
Association,  http://tiaonline.org/policy/securing-network-cvbersecurity-recommendations-critical- 
infrastructure-aiid-global-supplv  (accessed  January  18,  2012). 

7  Executive  Order  no.  13010,  "Critical  Infrastructure  Protection."  (emphasis  added) 


41 


4.  Propose  statutory  or  regulatory  changes  necessary  to  effect  the 
strategy’s  recommendation;  and  produce  reports  and 
recommendations . 


Armed  with  specified  tasks,  the  Commission  established  a  national  cybersecurity 
framework  that  impeded  efforts  to  secure  information  systems  within  critical 
infrastructures  nearly  twenty  years  later. 

In  1997,  the  Commission  issued  its  report  entitled,  Critical  Foundations: 
Protecting  America ’s  Infrastructures.  The  late  1990s  serve  as  the  historical  backdrop  for 
the  Clinton  Administration  policy  report.  During  this  period,  the  private  sector  controlled 
the  majority  of  critical  infrastructures,  information  systems  dependency  grew 
exponentially,  and  the  borderless  networked  environment  created  tremendous  economic 
opportunities.  Critical  Foundations  is  the  first  major  policy  document  to  address  critical 

o 

infrastructure  protection  (CIP).  Despite  the  explicit  task  from  Presidential  Executive 
Order  13010  to  focus  on  physical  and  cyber  threats,  the  fifteen  month  strategic  analysis 
of  national  infrastructure  resulted  in  a  one  hundred  ninety-two  page  report  that  dedicates 
less  than  five  pages  to  the  physical  threats  against  critical  infrastructure.  The  omission  of 
physical  threats  from  the  final  report  underscores  the  emerging  digital  environment 
marked  by  the  late  nineties.  Critical  Foundations  asserts  that  the  physical  security 
mindset  “that  served  us  so  well  in  the  past,  offer  little  protection  from  the  cyber  threat.”9 
At  initial  glance,  Critical  Foundations  depicts  an  awareness  of  a  changing  strategic 
environment  and  subsequent  requirement  for  critical  and  creative  thinking  to  solve 


8  John  McCarthy  et  al.,  “Cyberpower  and  Critical  Infrastructure  Protection:  A  Critical  Assessment 
of  Federal  Efforts,”  in  Cyberpower  and  National  Security ,  ed.  Franklin  D.  Kramer,  Stuart  H.  Starr,  and 
Larry  K.  Wentz,  1st  ed.  (Dulles,  VA:  Potomac  Books,  2009),  544. 

9  President's  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations,  vii. 
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twenty-first  century  challenges.  The  Commission  boldly  begins  the  report  declaring  that 
the  presence  of  information  security  vulnerabilities  within  privately  owned  critical 
infrastructures  threatens  to  jeopardize  national  security  in  a  manner  that  requires 
innovative  thinking.10  However,  Critical  Foundations  presents  a  business  case  and 
strategic  plan  that  fails  to  invoke  new  thinking,  places  responsibility  for  public  trust  of 
critical  infrastructure  on  market  forces,  and  pursues  an  Industrial  Age  physical  security 
mindset. 

The  Commission  adopted  planning  precepts  to  guide  their  analysis  of  critical 
infrastructure  protection.  The  Commissions’  planning  guideposts  restrict  critical  and 
creative  thinking  required  to  produce  strategies  consistent  with  its  bold  ambitions.  The 
Commission’s  planning  guidelines  led  to  misguided  solutions  that  impede  the 
cybersecurity  of  critical  infrastructures.  Since  the  late  nineties,  policy  makers  routinely 
invoke  the  logic  expressed  within  Critical  Foundations  to  criticize  divergent  ideas 
resembling  those  expressed  by  the  Cybersecurity  Act  of  2012  and  this  thesis.  Below  are 
the  Commission’s  self-imposed  planning  guidelines  (Appendix  1  depicts  the 
Commission’s  Seven  Point  Strategy): 


10 


Ibid. 
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The  Commission’s  Planning  Guidance 


Build  on  that  which  exists. 

It  will  be  easier  and  faster  to  implement,  more  effective,  and  more  likely 
to  be  accepted  than  creating  something  new. 

Practice  continuous  improvement. 

Take  action  in  affordable  increments.  There  is  no  “magic  bullet”  solution. 
Aim  not  only  to  protect  the  infrastructures,  but  also  to  enhance  them. 

Coordinate  security  with  maintenance  and  upgrades. 

Security  should  be  incorporated  in  planned  maintenance  and  scheduled 
upgrades. 

Depend  on  voluntary  cooperation. 

Partnerships  between  industry  and  government  will  be  more  effective  and 
efficient  than  legislative  regulation. 

Start  with  the  owners  and  operators. 

They  have  a  strong  economic  state  in  protecting  their  assets  and 
maximizing  customer  satisfaction.  They  understand  the  infrastructures 
and  have  experience  in  responding  to  outages. 

Minimize  changes  to  government  oversight  and  regulation. 

Several  of  the  infrastructures  have  a  long  history  of  government 
regulation,  with  a  clear  legislative  mandate  and  a  record  of  success.  We 
consciously  avoided  proposing  significant  changes  in  regulation. 

Promote  government  leadership  by  example. 

Government-owned  facilities  should  be  among  the  first  to  adopt  best 
practices,  active  risk  management,  and  improved  security  planning. 11 


Three  of  the  planning  guidelines  produce  what  this  author  terms  the  Incremental 
Progress  theory.  The  Commission  limited  its  potential  solutions  by  viewing  the  problem 
through  the  collective  lens  of  (1)  building  on  what  exists,  (2)  practicing  continuous 
improvement,  and  (3)  coordinating  security  with  maintenance  and  upgrades.  Since  the 
publishing  of  Critical  Foundations ,  the  United  States  cybersecurity  policies  adopt  natural 
science  strategies  devoid  of  game  changing  possibilities.  Commonly  accepted  lessons 


11  President's  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations,  23. 
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from  the  Stuxnet  attack  include  banning  the  presence  of  USB  devices  and  frequent 

12 

replacement  of  hardware  and  software  within  the  industrial  information  environments. 
However,  these  tactical  approaches  are  inefficient,  expensive  and  ineffective.  At  best, 
such  efforts  are  short  term  procedures  capable  of  delaying  an  adversary  for  a  limited 
period  of  time.  The  United  States  must  simultaneously  execute  short-term  mitigation 
procedures  while  aggressively  pursuing  long  term  strategic  solutions.  Cybersecurity  in 
the  Information  Age  requires  a  revolutionary  shift.  Unfortunately,  the  Incremental 
Progress  theory  continues  to  dominate  the  United  States  cybersecurity  policy 
development  processes. 

Three  additional  planning  guidelines  catalyzed  what  this  author  titles  the  Self- 
Regulation  theory.  The  Self-Regulation  theory  stems  from  the  notions  that  cybersecurity 
of  critical  infrastructure  is  best  executed  when  (1)  private  sector  infrastructure  owners 
voluntarily  collaborate  with  the  government  cybersecurity  efforts  and  that  (2)  the 
economic  marketplace  inherently  drives  owners  toward  cybersecurity  best  practices. 
Since  the  publishing  of  Critical  Foundations,  the  United  States  cybersecurity  policies 
consistently  denounce  regulatory  enforcement  or  mandatory  oversight  over  privately 
owned  critical  infrastructure.  In  2013,  Senator  Jay  Rockefeller  (D-WV)  sought 
cybersecurity  legislation  input  from  Fortune  500  CEOs.  The  results  indicate  that  while 
the  private  sector  welcomes  access  to  government  cyber  threat  data,  CEOs  oppose  the 
concept  of  a  mandated  two-way  relationship.  The  Chamber  of  Commerce  successfully 

12  Deborah  L.  Wheeler,  "Understanding  Cyber  Threats."  in  Cybersecurity:  Public  Sector  Threats 
and  Responses ,  ed.  by  Kim  Andreasson,  1st  ed.  (Boca  Raton,  FL:  CRC  Press,  2012),  41. 

13  J.  N.  Hoover,  "CEOs  Voice  Support  for  Cyber  Legislation,  with  Caveats,"  Information  Week, 
http://www.informationweek.com/government/policv/ceos-voice-support-for-cvber- 

legislation/240147638?quervText=cybersecuritv  act  of  2012  (accessed  September  21,  2012). 
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lobbied  to  emasculate  the  Cybersecurity  Act  of  2012,  the  most  promising  cybersecurity 
bill  of  the  112th  Congress,  by  stripping  directed  two-way  information  sharing  and  federal 
oversight  components  from  its  language. 14  Lobbyist,  CEOs,  and  government  officials 
continue  to  purport  the  Self-Regulation  theory  as  a  proven  concept  for  national 
cybersecurity. 

In  response  to  the  Critical  Foundations  report,  the  Clinton  Administration  issued 

Presidential  Decision  Directive  63  (PDD-63)  for  the  explicit  purpose  of  producing  a 

“workable  and  innovative  framework  for  critical  infrastructure  protection.”15  Below  is 

the  cybersecurity  framework  as  outlined  by  PDD-63: 

Immediately  establish  a  national  center  to  warn  of  and  respond  to  attacks; 

Ensure  the  capability  to  protect  critical  infrastructures  from  intentional 
acts  by  2003. 

Addresses  cyber  and  physical  infrastructure  vulnerabilities  within  the 
Federal  government  by  requiring  each  department  and  agency  to  work  to 
reduce  its  exposure  to  new  threats; 

Requires  the  Federal  government  to  serve  as  a  model  to  the  rest  of  the 
country  for  how  infrastructure  protection  is  to  be  attained; 

Seeks  the  voluntary  participation  of  private  industry  to  meet  common 
goals  for  protecting  our  critical  systems  through  public-private 
partnerships'. 

Protect  privacy  rights  and  utilize  market  forces.  It  is  meant  to  strengthen 
and  protect  the  nation 's  economic  power,  not  to  stifle  if. 

Seek  full  participation  and  input  from  the  Congress.16 


14  Ibid. 

15  U.S.  Presidential  Decision  Directive  63,  "Protecting  America's  Critical  Infrastructure,"  (May  22, 
1998),  http://www.fas.org/irp/offdocs/pdd-63.htm  (accessed  October  27,  2012). 

16  Ibid,  (emphasis  added) 
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The  Self-Regulation  and  Incremental  Progress  theories  influence  every  cybersecurity 
debate  and  policy  to  include  those  created  by  the  Bush  and  Obama  Administrations. 

These  flawed  theories  negatively  influence  Presidential  and  Congressional  efforts  to 
secure  critical  infrastructure. 

The  Bush  Administration  (2001-2008) 

The  terrorist  attacks  on  September  11,  2001  spawned  three  legislative  codes  that 
affected  the  nation’s  approach  to  cybersecurity  of  critical  infrastructure:  USA  PATRIOT 
ACT,  the  Homeland  Security  Act  of  2002,  and  the  Federal  Information  Security 
Management  Act  of  2002  (FISMA).  While  neither  the  Uniting  Strengthening  America 
(by)  Providing  Appropriate  Tools  Required  (to)  Intercept  (and)  Obstruct  Terrorism  Act  of 
2001  (USA  PATRIOT  Act)  nor  the  Homeland  Security  Act  of  2002  are  cybersecurity 
centric,  both  add  insight  into  the  United  States’  paradigm  for  the  cybersecurity  of  critical 
infrastructure.  Section  217  of  the  USA  PATRIOT  Act  includes  a  provision  that  allows 
private  companies  the  voluntarily  option  to  authorize  law  enforcement  to  intercept 
electronic  communication.  The  Homeland  Security  Act  of  2002  (HSA)  created  the 
Department  of  Homeland  Security  and  consolidated  many  operational  cybersecurity 
responsibilities  under  the  purview  of  the  newest  cabinet  level  agency.  In  December 
2003,  Homeland  Security  Presidential  Directive  7  (HSPD-7),  Critical  Infrastructure 
Identification,  Prioritization,  and  Protection  designated  the  Department  of  Homeland 
Security  as  the  lead  agency  for  Information  Technology  and  Communications  sectors, 
with  the  specific  responsibility  to  share  threat  information,  help  assess  vulnerabilities, 

17  Daniel  Castro,  "U.S.  Federal  Cybersecurity  Policy,"  in  Cybersecurity:  Public  Sector  Threats 
and  Responses,  ed.  by  Kim  Andreasson.  1st  ed.  (Boca  Raton,  FL:  CRC  Press,  2012),  127-58. 
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encourage  appropriate  protective  action,  and  develop  contingency  plans.19  In  2010,  the 

Department  of  Homeland  Security  became  the  lead  agency  for  the  national 

implementation  of  the  Federal  Information  Security  Management  Act  of  2002.“  While 

other  federal  agencies  maintain  significant  cybersecurity  responsibilities,  the  DHS  is  the 

2 1 

lead  agency  for  the  protection  of  critical  infrastructure. 

The  Federal  Information  Security  Management  Act  of  2002 
In  2002,  the  107th  Congress  passed  the  Federal  Information  Security  Management 
Act  (FISMA)  as  Title  III  of  the  E-Govemment  Act  of  2002  in  response  to  growing  threats 
within  cyber  space.  The  Federal  Information  Security  Management  Act  of  2002 
consolidated  overlapping  responsibilities  and  eliminated  obsolete  mandates  contained 
within  the  Paperwork  Reduction  Act  of  1980,  the  Counterfeit  Access  Device  and 
Computer  Fraud  and  Abuse  Act  of  1984,  and  the  Computer  Security  Act  of  1987. 
Congress  enacted  FISMA,  the  nation’s  most  comprehensive  cybersecurity  legislation,  to 
establish  information  security  protections  commensurate  with  risks  to  government 


19  U.S.  President,  Cyberspace  Policy  Review:  Assuring  a  Trusted  and  Resilient  Information 
and  Communications  Infrastructure  (Washington  DC:  Government  Printing  Office,  May  2009), 
www.whitehouse.gov/assets/documents/cyberspace_policy_review_final.pdf  (accessed  August  11,  2012), 

4. 

20  Executive  Office  of  the  President,  Memo  to  the  Heads  of  Executive  Departments  and  Agencies, 
FY  2010  Reporting  Instructions  for  the  Federal  Information  Security  Management  Act  and  Agency  Privacy 
Management,  April  21,  2010, 

http://www.  whitehouse.  gov/sites/default/files/omb/assets/memoranda  20 1 0/ml 0- 1 5 .pdf  (accessed 
September  21,  2012). 

21  Ibid. 

22  National  Institute  of  Standards  and  Technology,  “Security  Management  and  Assurance:  FISMA 
Overview,”  U.S  Department  of  Commerce,  http://csrc.nist.gov/groups/SMA/fisma/overview.html 
(accessed  January  18,  2012). 

23  Daniel  White,  "The  Federal  Information  Security  Management  Act  of  2002:  A  Potemkin 
Village,"  Fordham  Law  Review  79,  no.  1  (October  2010):  369,  http://fordhamlawreview.org/articles/the- 
federal-information-securitv-management-act-of-2002-a-potemkin-village  (accessed  October  4,  2012). 
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24 

information  systems.  While  the  DHS  is  the  lead  agency  for  implementation  and 
compliance  with  FISMA,  the  Office  of  Management  and  Budget  (OMB)  ensures  FISMA 
compliance,  submits  an  annual  report  to  Congress,  and  maintains  punitive  IT  budgetary 
authority  over  federal  agencies.  Additionally,  each  agency  Inspector  General  submits 
an  annual  best  practice  security  control  evaluation  to  Congress.26  The  National  Institute 
of  Science  and  Technology  (NIST)  authors  FISMA  implementation  strategies.  Although 
private  owners  of  infrastructure  are  not  bound  by  FISMA,  the  law’s  construct  provides  an 
applicable  window  into  how  the  United  States  might  regulate  privately  owned  and 
operated  critical  infrastructures.  The  remainder  of  this  section  examines  FIMSA’s 
construct. 

The  National  Institute  of  Science  and  Technology  (NIST)  risk-management 
framework  (RMF)  is  the  centerpiece  of  the  federal  government’s  cybersecurity 
implementation  approach.  In  2010,  the  FISMA  compliance  model  transitioned  from  a 
static  Certification  and  Accreditation  (C&A)  process  into  a  continuous  Risk  Management 
Framework  (RMF)C  The  C&A  process  is  best  described  as  a  static  snapshot  in  time 
inspection  where  results  become  obsolete  quickly.  The  Certification  and  Accreditation 
compliance  methodology  steers  federal  agency  information  security  efforts  toward  strict 
regulatory  compliance  often  at  the  detriment  of  effective  cybersecurity  best  practices. 

2  Office  of  Management  and  Budget,  FY  2011  Report  to  Congress  on  the  Implementation  of  the 
Federal  Information  Security  Management  Act  of  2002  (Washington  DC:  Government  Printing  Office, 
March  2012),  6. 

25  Ibid. 

FISMA  compliance  is  not  applicable  to  national  security  related  information  security  within  the 
federal  government  (DoD  and  CIA). 

26  Office  of  Management  and  Budget,  FY  201 1  Report  to  Congress  on  FISMA. 

21  National  Institute  of  Standards  and  Technology,  Guide  for  Applying  the  Risk  Management 
Framework  to  Federal  Information  Systems,  Rev.  ed.  (Washington  DC:  Government  Printing  Office, 
February  2010),  1. 
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For  example,  the  FY2008  Office  of  Management  and  Budget  FISMA  implementation 
report  provided  a  Certification  and  Accreditation  grade  of  satisfactory  or  higher  to  ninety- 
two  percent  of  federal  agencies.  '  However,  for  this  same  time  period,  a  GAO  report 
stated  that  the  same  agencies  “did  not  implement  controls  to  sufficiently  prevent,  limit,  or 
detect  access  to  computer  networks,  systems,  or  information.”  Conversely,  the  RMF  is 
a  six-phased  life-cycle  management  process  designed  to  assess  and  mitigate  an 
information  systems’  vulnerabilities  from  acquisition  to  retirement. 

The  most  accurate  assessment  of  the  Act’s  ability  to  improve  cybersecurity  is  one 
of  unrealized  potential.  In  2011,  the  GAO  reported  a  650%  increase  of  information 

on 

security  incidents  directed  against  federal  agencies  between  2006  and  2011.  However, 

•3  1 

incident  rates  are  not  necessarily  accurate  measurements  of  cybersecurity  performance. 
CIOs  and  IT  managers  often  discover  previously  concealed  cyber  vulnerabilities  and 
intrusions  after  introducing  improved  intrusion  detection  systems  and  intrusion 
prevention  systems  (IDS/IPS)  to  the  information  environment.  Effective  IDS/IPS  often 


~s  J.  N.  Hoover,  "Cybersecurity  Balancing  Act,"  Information  Week, 
http://www.informationweek.com/security/ government/c  ybersecurity-balancing-act/2 17100126  (accessed 

September  21,  2012). 

29  Government  Accounting  Office,  Although  Progress  Reported,  Federal  Agencies  Need  to 
Resolve  Significant  Deficiencies,  by  Gregory  Whilshuen  (Washington  DC:  Government  Printing  Office, 
2008),  3. 

30  Government  Accounting  Office,  Information  Security:  Weaknesses  Continue  Amid  New 
Federal  Efforts  to  Implement  Requirements,  by  Gregory  Whilshuen  (Washington  DC:  Government  Printing 
Office,  2011),  4. 

31  Robert  O'Harrow,  "Hacking  Tool  Kits,  Available  Free  Online,  Fuel  Growing  Cyberspace  Arms 
Race."  Washington  Post,  November  13,  2013,  http://www.washingtonpost.com/investigations/hacking- 
tool-kits-available-free-online-fuel-growing-cyberspace-arms-race/2012/ll/12/ladd77a4-21e6-l  Ie2-ac85- 

e669876c6a24  story. html?wpisrc=emailtoafriend  (accessed  November  15,  2013). 

The  global  explosion  of  pre-packaged  malicious  software  occured  during  the  same  time  perioed 
(2006-present).  Therefore,  the  gross  quantity,  acccess  and  execution  of  pre-packaged  malicious  code  is 
much  simplier  than  ever  before.  The  computer  technology  skill  set  required  to  launch  a  cyber  attack  is 
lower  than  at  any  other  point  in  history.  This  trend  is  expected  to  continue. 
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32 

transforms  unknown  unknowns  and  unknown  knowns  into  known  knowns.  In  fact,  the 
U.S  Computer  Emergency  Readiness  Team  (US-CERT),  a  division  of  the  DHS,  attributes 
the  GAO’s  reported  growth  statistics,  at  least  in  part,  to  improved  intrusion  detection 
procedures  and  technology.33 

The  2011  GAO  report’s  most  damaging  conclusion  is  the  systematic  lack  of 
information  security  controls  across  federal  agencies.34  FISMA  requires  agency 
Inspector  Generals  and  the  GAO,  under  the  purview  of  the  OMB,  to  conduct  annual 
security  control  evaluations,  determine  deficiencies,  and  remediation  actions.  The  201 1 
GAO  report  concluded  that  widespread  information  security  control  deficiencies  within 
federal  agencies  expose  information  systems  to  “elevated  risk  of  unauthorized  use, 
disclosure,  modification,  and  disruption.”36  The  report  cited  systematic  deficiencies 
across  control  areas  to  include  access  control,  configuration  management,  and  continuity 
of  operations.37  Specifically,  among  the  most  damaging  and  pervasive  weaknesses  are 


32  Slavoj  Zizek,  "What  Rumsfeld  Doesn't  Know  that  He  Knows  about  Abu  Ghraib,"  In  These 
Times  and  the  Institute  for  Public  Affairs,  http://inthesetimes.com/article/747/  (accessed  January  21,  2013), 
( emphasis  added). 

33  Government  Accounting  Office,  Information  Security:  Weaknesses  Continue,  4. 

34  Ibid.,  11. 

35  National  Institute  of  Standards  and  Technology,  Guide  for  Applying  the  Risk  Management 
Framework ,  42. 

36  Government  Accounting  Office,  Information  Security:  Weaknesses  Continue,  11. 

37  Ibid. 

Government  Accounting  Office’s  information  security  management  controls: 

Access  control:  ensures  only  authorized  individuals  can  view/read,  modify  or  delete  information. 

Configuration  Management  Control:  ensures  CEO/CIO/IT  management  approved  software  or 
network  additions,  deletions  or  modifications  are  conducted  to  enterprise  level  software/hardware. 

Segreation  of  Duties:  reduces  the  risk  that  one  individual  (to  include  authorized  system 
administrators)  can  independently  perform  inadvertent  or  inappropriate  enterprise  level  configuration 
changes. 

Continuity  of  Operations:  Ensures  a  CEO/CIO  approved  plan  to  maintain  some  or  all  enterprise 
information  functions  in  the  case  of  widespread  information  loss.  Examples:  SIPRnet,  Blackberry 
Enterprise  Server,  email,  and  collaboration  sites. 
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the  lack  of  continuous  monitoring  mechanisms  and  adequate  identification  and 

TO 

authentication  measures. 

In  2010,  the  Obama  Administration  identified  three  FISMA  priorities,  Continuous 
Monitoring,  Trusted  Internet  Connections  (TIC),  and  Federal  Personal  Identity 
Verification  (PIV),  designed  to  improve  cybersecurity  across  the  federal  government. 
Among  these  priorities,  continuous  monitoring  represents  the  largest  potential  to  evolve 
FISMA  into  an  effective  cybersecurity  regulation.  The  ultimate  goal  of  continuous 
monitoring  is  to  overlay  each  federal  agency’s  information  security  environment  and 
create  a  cybersecurity  common  operating  picture  (COP)  that  reveals  seams,  trends  and 

TO 

threats.  In  201 1,  the  OMB  directed  federal  agencies  to  collect  continuous  monitoring 
and  data  feeds  and  submit  results  via  Cyber  Scope.  Cyber  Scope,  a  secure  reporting 
software  platform  designed  to  replace  unsecure  email  reporting,  represents  the  first  step 
toward  continuous  monitoring.40  However,  Cyber  Scope  does  not  perform  actual 
continuous  monitoring  functions.  Cyber  Scope  improves  the  security,  timeliness, 
standardization  of  automated  reporting,  not  monitoring .41  Cyber  Scope’s  standardized 
reporting  metrics  and  procedures  provide  increased  insight  into  federal  information 
security  environment’s  data  points.  However,  sixteen  of  the  twenty-four  major  U.S. 
federal  agencies  did  not  monitor  networks  adequately  for  suspicious  activities  and  were 


38  Ibid.,  33. 

39  Phillip  Kimmey,  "FISMA,  Cyberscope,  and  Federal  IT  Security,"  Center  for  Strategic  and 
International  Studies,  http://csis.org/blog/fisma-cvberscope-and-federal-it-security  (accessed  January  14, 
2013). 

40  Kimmey,  “FISMA,  Cyberscope,  and  Federal  IT  Security.” 


52 


unable  to  report  timely  information  security  incidents.43  Although  Cyber  Scope  will 
allow  the  DHS  to  better  understand  vulnerabilities  with  the  federal  information 
environment,  the  vast  majority  of  vulnerabilities  will  remain  unknown  unknowns  until  a 
viable  continuous  monitoring  process  is  implemented.  The  Federal  Information  Security 
Management  Act  of  2002  continues  to  improve  as  an  iterative  process  and  serves  as  a 
preview  of  how  the  United  States  could  regulate  the  cybersecurity  of  privately  owned 
critical  infrastructure. 

The  2003  National  Strategy  to  Secure  Cyber  Space 
The  Bush  Administration’s  2003  National  Strategy  to  Secure  Cyber  Space  ( 2003 
National  Strategy )  is  based  upon  the  Self-Regulation  theory.  The  Self-Regulation  theory 
is  a  pillar  of  the  United  States’  cybersecurity  of  critical  infrastructure  paradigm.  This 
paradigm  is  unlikely  to  reduce  the  risks  of  a  catastrophic  cyber  attack.  The  2003 
National  Strategy ’s  guiding  principles  contend  that  economic  market  inherently  steer 
private  owners  of  critical  infrastructures  toward  cybersecurity  best  practices  and  that 
voluntary  information  sharing  between  industry  and  government  is  more  effective  than 
mandated  information  sharing.  The  2003  National  Strategy ’s  implementation  of  the  Self- 
Regulation  theory  reads  as  follows: 

Regulation  and  Market  Forces:  Federal  regulation  will  not  become 
a  primary  means  of  securing  cyber  space.  Broad  regulations  mandating 
how  all  corporations  must  configure  their  information  systems  could 
divert  more  successful  efforts  by  creating  a  lowest  common  denominator 
approach  to  cybersecurity,  which  evolving  technology  would  quickly 
marginalize.  Even  worse,  such  an  approach  could  result  in  less  secure 
and  more  homogeneous  security  architectures  than  we  have  now.  By  law, 
some  federal  regulatory  agencies  already  include  cybersecurity 


|  !  Government  Accounting  Office,  Information  Security:  Weaknesses  Continue,  13. 
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considerations  in  their  oversight  activity.  However,  the  market  itself  is 
expected  to  provide  the  major  impetus  to  improve  cybersecurity.44 

The  Self-Regulation  theory  has  not  successfully  withstood  the  realities  of  the 

information  security  environment.  The  frequency  and  lethality  of  targeted  cyber  attacks 

against  United  States’  critical  infrastructure  is  increasing  at  an  alarming  rate.45  In  201 1, 

hackers  breeched  several  United  States  financial  institutions  to  include  the  NASDAQ 

Stock  Market.46  In  2012,  the  United  States  banking  industry  experienced  a  massive 

coordinated  Distributed  Denial  of  Service  attack.  47 

In  2004,  CIO  Magazine  published  a  special  edition  article  titled,  “Tips  from  the 

Budget  Masters.”  The  article  presented  IT  budget  management  insights  from  industry 

leading  Chief  Information  Officers  (CIO).  The  former  CIO  of  PNC  Financial  Services 

Group,  Tim  Shack,  outlined  PNC’s  approach  to  information  technology  (IT)  strategic 


44  U.S.  President,  The  National  Strategy  to  Secure  Cyberspace  (Washington  DC:  Government 
Printing  Office,  February  2003),  http://www.us-cert.gov/reading  room/cyberspace  strategy.pdf  (accessed 
October  4,  2012),  15.  ( emphasis  added ) 

45  House  Committee  on  Homeland  Security,  Examining  the  Homeland  Security  Impact  of  the 
Obama  Administration's  Cybersecurity  Proposal  Hearing  before  the  Subcommittee  on  Cybersecurity, 
Infrastructure  Protection,  and  Security  Technologies,  112th  Cong.,  1st  sess.,  June  24,  2011,  11. 

46  Ibid. 

47  Tracy  Kitten,  "Are  Banks  Winning  the  DDoS  Battle?"  Information  Security  Media  Group 
Corporation,  http://www.bankinfosecurity.com/are-banks-winning-ddos-battle-a-5434/p-2  (accessed 
February  3,  2013). 

The  DDoS  attack  during  the  fall  of  2012  impacted  nearly  every  major  U.S.  financial  and  banking 
institution.  The  financial  and  banking  online  accessibility  gold  standard  is  99.5%.  During  the  fall  of  2012, 
the  accessiblity  rate  dropped  to  a  dismal  94.86%.  As  of  the  weekend  January  13,  2012,  the  rate  hovers  at 
97.21%.  The  impaced  institutions  includes:  PNC  Financial  Services  Group,  BB&T,  Fifth  Third  Bank, 

Bank  of  America,  JPMorgan,  Chase,  Citigroup,  Wells  Fargo,  U.S.  Bancorp,  CapitalOne,  HSBC,  Ally  Bank, 
SunTrust  Banks,  Regions  Financial  Corp.  and.Zions  Bancorp. 

48  Stephanie  Overby,  "Tips  From  the  Budget  Masters,"  CIO  Magazine,  Special  Issue,  Fall/Winter 
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planning.49  PNC  Financial  Services  analyzes  every  potential  IT  strategic  investments 
against  four  evaluation  criteria:  (1)  regulatory  compliance,  (2)  revenue  generating 
potential,  (3)  expense  reducing  potential,  and  (4)  competitive  advantage.50  Mr.  Shack 
highlighted  several  projects,  none  of  which  targeted  the  firm’s  information  security 
posture,  as  proof  of  the  processes’  strategic  planning  validity.51  Strategic  information 
security  investments  are  subjective  non-revenue  generating  activities  that  companies 
calculate  as  expenses.  The  corporate  sector’s  unwillingness  to  link  strategic  information 
security  investments  to  valid  business  objectives  creates  underfunded  cybersecurity 
environments.  In  2012,  PricewaterhouseCoopers  (PwC)  released  its  global  IT  security 
corporate  investment  analysis  report  that  surveyed  9,300  CIOs,  CEOs,  and  IT  managers 
on  their  organization’s  preparedness  against  cyber  attacks.  The  report  presents  four  key 
statistics  that  dispel  the  myth  of  effective  self-regulation.52 


•  8%  exercise  essential  IT  security  key  best  practices 
such  as  delivering  security  reports  to  the  CEO. 

•  42%  execute  an  effective  IT  security  strategy 

•  71%  use  adware  and  spyware  detection  tools  (down 
from  83%  in  2011) 

•  16%  conducted  an  inventory  of  essential  company  data 
in  (down  from  22%)  to  determine  the  organization  risk 
level  in  the  event  of  a  cyber  attack. 

Although  the  2003  Strategy  to  Secure  Cyber  Space  contends  that  “...the  [economic] 
market  itself  is  expected  to  provide  the  major  impetus  to  improve  cybersecurity,”  Mark 
Lobel,  principal  and  primary  PwC  report  contributor,  stated  that  “instead  of  risk  driving 

49  National  Information  Center,  "The  Top  50  Holding  Companies,"  The  Federal  Reserve, 
http://www.ffiec.gov/nicpubweb/nicweb/Top50Form.aspx  (accessed  February  1,  2013). 

PNC  is  now  the  tweltfh  largest  Financial  Services  Instituition  within  the  United  States.  ($300B) 

50  Overby,  “Tips  From  the  Budget  Masters.” 


55 


[IT]  security  budgets,  it’s  [IT  security  measures]  what  can  the  company  afford.” 
Capitalist  economies  naturally  suppress  non-revenue  generating  investments  unless  an 
external  factor,  such  as  a  federal  requirement,  forces  its  occurrence.  The  2003  National 
Strategy  to  Secure  Cyber  Space  is  built  upon  the  Self-Regulation  theory  that  runs 
contrary  to  the  realities  within  the  economic  marketplace. 

The  second  Self-Regulation  principle,  upon  which  the  2003  National  Strategy  to  Secure 
Cyber  Space  rests,  is  the  reliance  upon  voluntary  public -private  information  sharing 
partnerships  to  secure  the  cyber  space  of  critical  infrastructure.  The  argument  for 
voluntary  public -private  partnerships  is  grounded  within  the  following  2003  National 
Strategy  to  Secure  Cyber  Space  statement: 


Most  critical  infrastructures,  and  the  cyber  space  on  which  they  rely,  are 
privately  owned  and  operated.  The  technologies  that  create  and  support 
cyber  space  evolve  rapidly  from  private  sector  and  academic  innovation. 
Government  alone  cannot  sufficiently  secure  cyber  space.  Thus,  President 
Bush  has  called  for  voluntary  partnerships  among  government,  industry, 
academia,  and  nongovernmental  groups  to  secure  and  defend  cyber 

54 

space. 

The  2003  National  Strategy  to  Secure  Cyber  Space  further  supports  the  Self-Regulation 
principle  of  voluntary  public-private  partnerships  by  touting  the  United  States’  federalist 
traditions  which  require  the  private  sector  to  “take  the  lead”  in  matters  of  cybersecurity.55 
The  2003  National  Strategy  correctly  concludes  that  “Government  alone  cannot 


53  Joel  Schectman,  "PwC:  Companies  Trim  IT  Security  as  Budgets  Stagnate,"  Wall  Street  Journal, 
http://blogs.wsi.com/cio/2012/09/20/pwc-companies-trim-it-security-as-budgets- 

stagnate/?KEYWORDS=cybersecurity  (accessed  February  1,  2013). 

54  U.S.  President,  The  National  Strategy  to  Secure  Cyberspace,  2.  (emphasis  added) 

55  Ibid.,  14. 
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sufficiently  secure  cyber  space.”56  However,  when  participants  to  a  partnership  have 
“skin  in  the  game”  the  ability  to  disengage  from  the  relationship  becomes  difficult. 

In  201 1,  House  Republicans  created  a  Cybersecurity  Task  Force  in  response  to  an 
acknowledged  lack  of  cyber  preparedness  within  the  nation’s  critical  infrastructures. 

The  Task  Force’s  report  acknowledged  the  federal  government’s  inherent  responsibility 
to  secure  the  nation’s  critical  infrastructure  against  catastrophic  cyber-attacks  and 

r  o 

advocated  regulatory  measures.  The  report  recommends  that  “there  may  be  instances 
where  additional  direct  regulation  of  an  industry  that  is  already  highly  regulated  (nuclear 
power,  electricity,  chemical  plants,  water  treatment)  may  be  warranted.” 59  The  report 
formed  the  foundation  of  a  comprehensive  cybersecurity  bill,  the  Promoting  and 
Enhancing  Cybersecurity  and  Information  Sharing  Effectiveness  (PrECISE  Act),  that 
included  regulating  privately  owned  critical  infrastructure.60  However,  for  reasons  that 
are  unclear,  but  almost  certainly  related  to  the  Self-Regulation  theory,  task  force 
members  withdrew  the  bill  from  consideration  and  disavowed  the  report  they  endorsed 
only  a  few  months  earlier.  61 


56  Ibid.,  2. 

57  House  Republican  Cybersecurity  Task  Force,  Recommendations  of  the  House  Republican 
Cybersecurity  Task  Force  (Washington  DC:  Government  Printing  Office,  2011), 

http://thornberry. house,  gov/uploadedfiles/cstf  final  recommendations.pdf  (accessed  February  4,  2013),  5- 
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58  Ibid. 

59  Ibid,  (emphasis  added ) 

60  GauthamNagesh,  "House  Cybersecurity  Bill  would  Establish  Federal  Overseer,"  The  Hill, 
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(accessed  February  18,  2013). 

61  James  A.  Lewis,  "Code  Red,"  Foreign  Policy,  August  2012, 
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The  First  Obama  Administration  (2009-2012) 

The  2009  Cyber  Space  Policy  Review 

In  2009,  the  Obama  Administration  issued  its  signature  cybersecurity  policy 
titled,  the  2009  Cyber  Space  Policy  Review  ( 2009  Policy  Review ).  The  Cyber  Space 
Policy  Review  is  the  result  of  an  executive  level  60-day  “clean-slate”  review  of  United 
States’  cybersecurity  policies  and  frameworks.62  Based  on  Thomas  Kuhn’s  theory  of 
change,  the  “clean-slate”  approach  represents  a  potential  conceptual  recognition  of 
prodromal  symptoms  that  leads  to  an  impending  intellectual  crisis.  The  United  States 
traditional  cybersecurity  theories  and  underlying  principles  expose  the  nation’s  critical 
infrastructure  to  unacceptable  risk  levels. 

The  2009  Cyber  Space  Policy  Review  presents  two  policy  concepts  that  are 
divergent  from  the  United  States’  traditional  approach  to  cybersecurity.  First,  the  2009 
Policy  Review  seeks  to  revamp  the  traditional  public -private  partnership  relationship. 
Organizations  often  underfund  non-revenue  generating  activities,  such  as  strategic 
information  security  investments,  due  to  the  lack  of  a  perceived  valid  business  case.  The 
2009  Policy  Review  acknowledges  the  private  sector’s  difficulty  in  demonstrating  a 
compelling  business  case  for  cybersecurity  investments  to  shareholders  and  boards  of 
directors.63  The  2009  Policy  Review  suggests  that  “there  are  various  approaches  the 
Federal  government  could  take  to  address  these  challenges,  some  of  which  may  require 
changes  in  law  and  policy.”64  During  2011  Congressional  hearings  on  the  Obama 
Administration’s  cybersecurity  legislative  proposals,  Larry  Clinton,  President/CEO  of  the 

62  U.S.  President,  Cyberspace  Policy  Review,  ii. 

63  Ibid.,  17. 

64  Ibid. 
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Internet  Security  Alliance,  argued  against  changes  to  current  legislative  frameworks.65 
However,  Mr.  Clinton  bolstered  the  2009  Policy  Review ’s  premise  for  increased 
legislation  by  stating,  “Some  have  suggested  that  the  market  has  failed  to  produce  the 
needed  technology  to  address  the  cyber  threat.  That  is  not  the  case. . .  .The  fact  is  that 
many  companies  don’t  see  an  adequate  ROI  to  cyber  investments.”66  The  2009  Policy 
Review  supports  the  adoption  of  legislation  that  creates  monetary  cybersecurity 
incentivizes  for  the  private  sector.  The  most  promising  concept  includes  “reduced 
liability  in  exchange  for  improved  security  or  increased  liability  for  the  consequences  of 
poor  security.”67  Since  liability  costs  are  among  senior  management’s  most  pressing 
concerns,  such  an  approach  provides  corporate  managers  with  a  compelling  business  case 
for  information  security  strategic  investments.  Although  incentive  based  legislation 
would  greatly  assist  the  business  case  effort,  CEOs  and  CIOs  must  communicate  the 
monetary  value  of  cyber  vulnerabilities  absent  of  legislative  incentives. 

Second,  the  new  policy  insists  that  the  Executive  Office  of  the  President  is  best 
positioned  to  create  synergy  among  federal  agencies.  It  contends  that  the  federal 
government  must  never  abrogate  its  national  security  responsibilities  to  private  sector 
balance  sheets.  Specifically,  the  2009  Policy  Review  asserts  that  the  United  States’ 
dependence  upon  information  and  computing  technologies  requires  leadership  that  is 
anchored  to  the  authority  of  the  National  Security  Council  (NSC)  and  the  President  of  the 
United  States.  In  December  2009,  President  Obama  appointed  Mr.  Howard  Schmidt  to 


65  House  Committee,  Examining  the  Homeland  Security  Impact,  32. 

66  Ibid. 

67  U.S.  President,  Cyberspace  Policy  Review ,  ii. 
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the  post  of  Cybersecurity  Coordinator.68  Under  Mr.  Schmidt’s  leadership,  the  Obama 
Administration  submitted  a  comprehensive  legislative  proposal  to  Congress  that  sought  to 
increase  federal  authority  over  selected  critical  infrastructures.69  The  Senate  included 
many  of  the  Obama  Administration’s  proposals  within  the  Cybersecurity  Act  of  2012. 

70 

Unfortunately,  the  Cybersecurity  Act  of  2012  failed  to  pass  a  Senate  vote. 

Additionally,  Mr.  Schmidt  led  the  Administration’s  initiatives  to  establish  Continuous 
Monitoring  procedures,  risk-based  cyber  management  models,  and  Trusted  Internet 
Connections  (TIC)  within  the  Federal  Information  Security  Management  Act.  In  May 
2012,  Mr.  Michael  Daniel  replaced  Mr.  Schmidt  upon  his  retirement  from  government 
service.  The  long  term  impacts  of  a  national  Cybersecurity  Coordinator  are  not  yet 
certain. 

Lastly,  the  2009  Policy  Review  embraces  the  public-private  partnership  principle, 
but  insists  that  traditional  partnerships  lack  the  organizational  structures  required  to 
create  meaningful  results.  The  2009  Policy  Review  references  a  “diffusion  of  effort” 
within  the  traditional  public-private  principle  that  prevents  participants  from  sharing 
ownership  of  the  problem.  Since  1997,  Presidential  Directives  and  Executive  Orders 
created  countless  public-private  information  sharing  committees  with  underwhelming 
results.  The  2009  Policy  Review  advances  two  concepts  designed  to  reduce  the  barriers 


68  The  White  House,  "Introducing  the  New  Cybersecurity  Coordinator,"  The  White  House, 
http://www.whitehouse.gov/blog/2009/12/22/introducing-new-cvbersecurity-coordinator  (accessed 
February  9,  2013). 

69  House  Committee,  Examining  the  Homeland  Security  Impact,  32. 

70  Jennifer  Rizzo,  "Cybersecurity  Deal  Fails  in  Senate,"  Turner  Broadcasting  System,  Inc., 
http://www.cnn.com/2012/08/02/politics/cybersecuritv-act  (accessed  January  20,  2013). 

71  U.S.  President,  Cyberspace  Policy  Review,  17. 

72  Ibid.,  18. 
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to  effective  public-private  partnerships.  First,  the  traditional  public -private  partnership 
principle  is  based  on  a  volunteer  approach  that  is  devoid  of  defined  roles  and 
responsibilities.  The  2009  Policy  Review  states  that  the  federal  government  should 
provide  the  resources  and  organizational  structure  to  existing  partnerships  in  an  effort  to 
create  accountability,  optimize  efforts,  and  develop  executable  response  and  recovery 
plans.  Second,  the  policy  favors  a  legislative  framework  that  tethers  private  sector 
participants  to  mandatory  participation,  clear  objectives,  and  measurable  response  and 
recovery  plans.74  Many  private  sector  stakeholders  worry  that  information  sharing  with 
the  DHS  ultimately  leads  to  the  disclosure  of  egregious  cyber  vulnerabilities,  divulgence 
of  trade  secrets,  or  the  reduction  of  stock  price  or  public  trust.  While  current  laws  such 
as  the  Critical  Infrastructure  Information  Act  address  many  private  sector  concerns,  the 
potential  damage  from  public  knowledge  of  cyber  vulnerabilities  within  corporate 
information  systems  may  have  irreversible  effects  on  public  trust  or  stock  prices.76 
However,  the  Obama  Administration  insists  that  a  tailored  limited  liability  program  is  a 
necessary  step  to  create  a  public -private  partnership  that  secures  national  infrastructure. 


Numerous  United  States  public -private  forums  set  out  to  measurable  reduce  the  nation’s  risk  to 
cyber  threats  to  include  the  Critical  Infrastructe  parnership  Advisory  Council  (CIPAC),  the  enduring 
Security  Framework,  the  Sector  coordinationg  Councils  (SCCs),  Government  Coordinating  Councils 
(GCCs),  the  Federal  bureau  of  Investigation’s  InfraGard,  U.S.  Secret  Service’s  Electronic  Crimes  Task 
Forces,  the  National  security  Telecomunicaiotns  Advisory  Committee  (NSTAC),  the  National 
Infrastrucutre  Advisory  Council  (NIAC),  the  Homeland  Secuiryt  Adviroyr  Counci,  and  countless 
associated  subcomittess  and  working  groups. 

73  U.S.  President,  Cyberspace  Policy  Review,  18. 


75  Ibid.,  19. 
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Ibid. 


61 


CHAPTER  3:  RECOMMENDATIONS 


“There  are  no  intrinsic  “laws  of  nature”  for  cyber-security  as  there  are,  for  example,  in 
physics,  chemistry  or  biology.  Cyber-security  is  essentially  an  applied  science  that  is 
informed  by  the  mathematical  constructs  of  computer  science  such  as  theory  of  automata, 
complexity,  and  mathematical  logic”.  '  The  JASON  Study  Group. 

This  section  presents  the  author’s  cybersecurity  of  critical  infrastructure  paradigm 
in  the  form  of  four  recommended  principles: 

1 .  Redefining  Cyberspace 

2.  Game  Changing  Culture 

3.  Open  Information  Highway  with  Secured  Exits  and  Assets 

4.  Limited  Liability  Legislation 

Collectively,  the  recommended  principles  create  a  paradigm  that  runs  contrary  to 
traditional  cybersecurity  beliefs  including  the  notions  that  (1)  voluntary  information 
sharing  between  industry  and  government  is  more  effective  than  directed  sharing,  (2) 
economic  market  forces  inherently  drive  private  owners  of  critical  infrastructures  toward 
cybersecurity  best  practices,  and  (3)  incremental  cybersecurity  improvement  is  more 
effective  than  revolutionary  changes. 

Recommendation:  Redefining  Cyberspace 

Inadequate  cybersecurity  definitions  lead  United  States  policy  makers  toward  the 
creation  of  ineffective  cybersecurity  of  critical  infrastructure  policies.  Effective 
cybersecurity  solutions  emanate  only  from  accurate  definitions  of  cyberspace.  Both  the 
Department  of  Defense  and  the  Center  for  Technology  and  National  Security  Policy 
(CTNSP)  present  useful  cyberspace  definitions.  However,  the  Department  of  Defense’s 


1  The  MITRE  Corporation,  Science  of  Cybersecurity  (Rosslyn,  VA:  The  Office  of  the  Under 
Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics,  2010), 
www.fas.org/irp/agencv/dod/iason/cyber.pdf  (accessed  March  19,  2013). 
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cyberspace  definition  fails  to  identify  cyberspace’s  purpose.”  The  lack  of  an  explicit 

purpose  within  the  DoD  definition  handicaps  both  the  cybersecurity  policy  maker  and 

practitioner’s  ability  to  link  cybersecurity  national  interests  (ends)  and 

strategic/operational  tasks  (ways)  to  appropriate  resources  (means).  While  the  CTNSP 

definition  correctly  identifies  cyberspace’s  purpose  as  the  ability  to  “create,  store, 

modify,  exchange,  and  exploit  information,”  it  fails  to  convey  the  essential  role  of 

software  code  within  cyberspace.  Software  code,  not  the  Internet,  is  both  valued  by  the 

system  owner  and  targeted  by  the  cyber  attacker.  Software  code  is  the  genesis  of  every 

benefit,  vulnerability,  and  threat  within  the  information  environment  termed  cyberspace. 

Therefore,  an  effective  cyberspace  definition  must  focus  on  information  systems,  of 

which  the  Internet  is  a  component,  that  are  underpinned  by  lines  of  software  code.  While 

largely  accurate,  neither  the  DoD  nor  the  CTNSP  definitions  conveys  the  essential  role  of 

software  code  to  cyberspace.  Below  is  this  study’s  recommended  cyberspace  definition: 

The  global  domain  within  the  information  and  communications 
environment  consisting  of  communication  links,  hardware,  and  software 
necessary  to  create,  modify,  store,  and  exchange  information  and  control 
computing  systems;  Software  code  is  acknowledged  as  the  central  element 
among  the  three  critical  components  that  direct  and  control  information 
and  computing  systems. 


2  U.S.  Department  of  Defense,  Department  of  Defense  Dictionary  of  Military  Terms  and 
Associated  Terms  (Washington  DC:  Government  Printing  Office,  November  2012),  77. 

DoD  Cyberspace  Definition:  The  human  engineered  global  domain  within  the  information 
environment  consisting  of  the  interdependent  network  of  information  technology  infrastructures,  including 
the  Internet,  telecommunications  networks,  computer  systems,  and  embedded  processors  and  controllers. 

3  Daniel  T.  Kuehl,  "From  Cyberspace  to  Cyberpower:  Defining  the  Problem,"  in  Cyberpower  and 
National  Security,  ed.  Franklin  D.  Kramer,  Stuart  H.  Starr,  and  Larry  K.  Wentz,  1st  ed.  (Dulles,  VA: 
Potomac  Books,  2009),  28. 

CTNSP  Cyberspace  Definition:  A  global  domain  within  the  information  environment  whose 
distinctive  and  unique  character  is  framed  by  the  use  of  electronics  and  the  electromagnetic  spectrum  to 
create,  store,  modify,  exchange,  and  exploit  information  via  interdependent  and  interconnected  networks 
using  information  communication  technologies. 
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This  study’s  definition  contains  three  noteworthy  distinctions  that  are  normally 
absent  from  cyberspace  constructs.  First,  the  definition  identifies  each  essential 
components  of  cybersecurity  (communication  links,  hardware,  and  software)  without 
overemphasizing  the  role  of  the  global  communication  links.  Although  responsible 
cybersecurity  policy  must  address  Internet  security,  cybersecurity  is  not  wholly  reliant 
upon  effective  Internet  security.  The  Stuxnet  Case  Study  provides  proof  that  the  lack  of 
global  Internet  connectivity  does  not  insulate  an  information  system  from  a  determined 
hacker.  Therefore,  equating  cyberspace  to  the  Internet  mistakenly  implies  the  sufficiency 
of  Internet  security  as  effective  cybersecurity.  Second,  this  study’s  definition  explicitly 
states  the  purpose  of  cyberspace  as  the  ability  “to  create,  modify,  store,  and  exchange 
information  and/or  control  computing  systems.”  Both  malicious  and  responsible  actors 
enter  cyberspace  to  conduct  information  based  functions.  Understanding  functionalities 
and  purposes  provides  insight  and  context  for  understanding  the  cyber  actors,  tactics,  and 
desired  effects.  Last  and  most  importantly,  the  recommended  definition  presents 
software  code  as  the  “central  element  among  the  three  critical  components  that  directs 
and  controls  information  and  computing  systems.”  As  previously  stated,  software  code, 
not  hardware  or  communication  links,  is  the  most  valued  prize  of  the  cyber  hacker. 
Software  represents  both  the  brains  of  computing  productivity  and  the  primary  source  of 
vulnerability.  Cyberspace  definitions  must  acknowledge  software’s  critical  role  within 
the  broader  context  of  information  and  computing  technology  systems.  Equating  the 
Internet  with  cyberspace  undermines  the  nation’s  understanding  of  the  information 
environment.  In  fact,  the  vast  majority  of  cyber  attacks  are  dedicated  to  finding, 
exploiting,  disrupting  or  destroying  unknown  vulnerabilities,  called  zero  day 
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vulnerabilities,  within  software.4  While  most  cybersecurity  literature  focuses  upon 
Internet  security,  there  is  no  defense  for  zero  day  software  vulnerability.5  The  manner  in 
which  national  policy  defines  cyberspace  drives  the  development  of  solutions  that 
address  cybersecurity  challenges. 

While  the  various  information  and  computing  functionalities  serve  as  the  purpose  for 
human  entry  into  cyberspace,  the  manner  in  which  the  United  States  pushes  the 
technological  envelope  will  determine  the  nation’s  future  cybersecurity  of  critical 
infrastructure.  The  recommendation  below  seeks  to  recapture  the  United  States 
hegemonic  role  at  the  world’s  leading  information  technology  leader.  The  United  States 
has  been  more  influential  in  the  development  of  cyberspace  than  any  other.  Likewise,  the 
Defense  Advanced  Research  Projects  Agency  provided  the  most  intellectual  capital  into 
the  development  of  cyberspace.  The  United  States  must  revitalize  this  organization 
toward  efforts  to  solve  the  puzzles  of  cybersecurity  of  critical  infrastructure. 
Recommendation:  Game  Changing  Culture 

In  December  1957,  the  United  States  completed  fast  track  production  of  its  first 
space  satellite,  Vanguard,  just  two  months  after  witnessing  the  technological  surprise  of 
the  world’s  first  orbiting  satellite,  Sputnik.6  The  explosion  of  Vanguard  on  the  launch 
pad  spurred  a  demand  for  change  from  President  Dwight  D.  Eisenhower  and  the  nation. 
The  changes  entailed  a  national  emphasis  on  science  and  technology  and  the  creation  of  a 

4 

Jeffrey  Carr,  Inside  Cyber  Warfare,  ed.  Mike  Loukides,  1st  ed.  (Sebastopol,  CA:  O'Reilly  Media 
Incorporated,  2009),  152. 

5  Ibid.,  158. 

6  Gary  Anthes,  "Timeline:  Sputnik  and  Three  Decades  of  DARPA  Hegemony,"  Computerworld 
(Online),  http://www.computerworld.eom/s/article/9037638/Timeline  Sputnik  and  Three  Decades  of 

DARPA  Hegemony  (accessed  February  7,  2013). 
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new  agency,  the  Advanced  Research  Projects  Agency,  with  a  game  changing 
organizational  culture. 

The  Advanced  Research  Projects  Agency’s  (ARP A)  mission  was  to  “prevent 
technological  surprise.”7  Its  organizational  culture  encouraged  patience  and  tolerance  for 

o 

high  risk/high-payoff  projects.  Prior  to  ARPA,  university  science  programs  were  weak 

and  outdated.9  For  the  first  four  decades  of  its  existence,  ARPA  provided  needed  funding 

to  scientific  universities  for  (then)  nebulous  concepts  to  include  artificial  intelligence  and 

computer  chips.10  However,  during  the  Global  War  on  Terrorism,  the  agency,  now  called 

the  Defense  Advanced  Research  Projects  Agency  (DARPA),  focused  on  short-term, 

pragmatic  military  objectives.* 11  DARPA  executed  a  strategic  shift  from  its  historical 

focus  of  nascent  solutions  capable  of  preventing  technological  surprise  to  “shovel  ready” 

technologies  that  support  the  current  fight.  ~  During  Congressional  hearings  on  the 

National  Defense  Authorization  Act  for  FY12,  former  DAPRA  Director,  Regina  Dugan, 

testified  in  support  of  the  need  to  return  the  agency  to  its  lineage: 

At  DARPA  we  say  that  we  must  not  lose  the  nerve  for  the  big  failure.  The 
nerve  you  need  for  the  big  failure  is  the  same  as  the  nerve  for  the  big 
success,  until  the  moment  you  know  which  it  will  be.  It’s  the  exact  same 


7  Anthes,  "Timeline:  Sputnik  and  Three  Decades  of  DARPA  Hegemony." 

8  Ibid. 

9  Gary  Anthes,  "Happy  Birthday  Sputnik!"  Computerworld  41,  no.  44  (October  2007):  44-46, 
http://search.proquest.com.ezproxy6.ndu.edu/docview/2161 188 14?accountid=  12686  (accessed  March  3, 
2013). 

10  Ibid. 

11  Anthes,  "Timeline:  Sputnik  and  Three  Decades  of  DARPA  Hegemony." 

12  U.  S.  Congress.  House  Armed  Services  Committee,  Prepared  Statement  by  Dr.  Regina  Dugan 
(Washington  DC:  U.  S.  House  of  Representatives,  2011), 

http://armedservices.house.gov/index.cfm/files/serve7File  id=7ccf4551-0f9b-4212-9349-e846475c5655 

(accessed  January  22,  2013),  6. 
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nerve... we  have  endeavored  to  revitalize  this  sensibility  at  DARPA...the 

i  'j 

Agency’s  willingness  to  take  on  the  big  risk. 

The  agency  and  its  culture  are  responsible  for  the  world’s  first  distributed 
information  network,  first  successful  email  message,  first  graphical  user  interface  (GUI) 
computer  program,  and  first  implementation  of  packet  switching  technology  into 
distributed  networks.14  DARPA,  with  its  brilliant  personnel  and  unique  organizational 
culture,  initiated  much  of  cyberspace.  The  United  States  cybersecurity  paradigm  should 
include  DARPA  as  its  lead  agent  for  game  changing  and  high  risk/high  pay  off 
innovation.  The  Defense  Advanced  Research  Projects  Agency  is  a  national  asset  that 
must  recapture  its  role  of  consistently  reaching  beyond  next  generation  technology. 

In  2005,  Kevin  Kelley,  an  Arkansas  high  school  football  coach,  executed  a 
revolutionary  shift  from  traditional  coaching  when  he  decided  to  stop  punting  the  ball  on 
fourth  down.15  Coach  Kelley’s  out  of  the  box  thinking  flies  in  the  face  of  the  traditional 
American  football  paradigm.  However,  in  the  last  three  seasons  Coach  Kelley’s  team 
punted  the  ball  only  three  times  (after  achieving  an  insurmountable  lead)  and  reached 
three  state  semifinals,  two  state  finals,  and  won  the  2011  Arkansas  5A  State 
Championship.16  Traditionalists  within  the  collegiate  and  professional  football  coaching 
ranks  scoff  at  Coach  Kelley’s  theory.  However,  the  Structure  of  Scientific  Revolutions 
warns  that  unconventional  paradigms  are  usually  met  with  an  unrelenting  intellectual 


13  Ibid,  (emphasis  added) 

14  Anthes,  "Timeline:  Sputnik  and  Three  Decades  of  DARPA  Hegemony." 

15  Gregg  Eastermann,  "State  of  High  School  Nation,"  ESPN, 

http://sports.espn. go. com/espn/page2/storv?page=easterbrook/07 1113  (accessed  February  5,  2012). 
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IV 

barrier  of  resistance.  Regardless  of  likely  criticism,  the  Advanced  Research  Projects 
Agency’s  history  and  culture  uniquely  qualifies  the  agency  to  once  again  lead  the  nation 
against  the  growing  cybersecurity  problem  set.  The  Advanced  Research  Projects  Agency 
is  the  catalyst  for  much  of  cyberspace  and  it  must  now  lead  the  nation  in  securing 
cyberspace.  The  United  States  and  DARPA  must  stop  punting  on  fourth  down. 

The  current  United  States  approach  to  cybersecurity  follows  an  incremental  and 
evolutionary  path  toward  progress.  While  software  and  technology  companies  work 
frantically  to  introduce  the  next  firewall  appliance  or  reverse  engineer  the  most  recent 
malicious  code,  cyber  vulnerabilities  and  threats  outpace  these  incremental  efforts. 

Recent  projects  at  DARPA  indicate  a  potential  shift  back  to  its  lineage.  The  next 
recommendation,  Open  Highway  and  Secure  Exits,  highlights  an  emerging  DARPA 
research  concept  that  supports  the  author’s  contention  that  Internet  security  does  not 
equal  cybersecurity.  The  next  recommendation  reflects  this  reality. 

Recommendation:  Open  Highway  &  Secured  Exits18 

The  second  recommended  paradigm  principle  requires  a  fundamental  shift  in  how 
policy  makers  think  about  cyberspace  and  cybersecurity.  This  recommendation  calls  for 
cybersecurity  policy  makers  to  direct  the  bulk  of  their  focus  on  creating  secure  and 
resilient  software  systems  and  less  focus  on  Internet  security. 

A  cybersecurity  policy  that  equates  Internet  security  with  cybersecurity  is 
misguided.  While  Internet  anonymity  remains  a  hurdle  to  global  cybersecurity, 

17  Thomas  S.  Kuhn,  The  Structure  of  Scientific  Revolutions ,  3rd  ed.  (Chicago:  The  University  of 
Chicago  Press,  1962),  65. 

18  In  Chapter  1,  this  thesis  analogized  cyberspace  as  an  intricate  transportation  systems.  “Simply 
stated,  the  Internet  is  a  networked  transport  path  (superhighway)  for  varying  sized  information  packets 
(cars,  motorcycles,  cargo  vehicles)  to  reach  desired  hardware  (homes,  office  buildings)  that  contain  valued 
information  and/or  critical  information  systems  (Assets:  money,  families,  inventory)  controlled  by 
software  (people).” 
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democratic  and  capitalist  values  flourish  in  the  presence  of  an  accessible,  global,  and 
interoperable  communications  network.  Blogs,  point  of  sale  (POS)  software,  social 
media,  and  supply  management  software  facilitate  the  success  of  both  political  activists 
and  emerging  economies.  The  alternative  to  an  interoperable  and  globally  accessible 
Internet  is  a  fragmented  information  environment,  in  which  nation  states  restrict  access  to 
advanced  technologies  under  the  guise  of  national  security  interests.19  Additionally,  the 
Stuxnet  attack  illuminates  critical  infrastructures  as  viable  cyber  targets  and  the  fallacy  of 
equating  Internet  security  with  cybersecurity.  The  United  States  cybersecurity  paradigm 
must  promote  secure  and  resilient  software,  while  accepting  a  level  of  anonymity  and  risk 
within  cyber  space.  Defense  in  depth  and  resilient  software  strategies  are  practical 
applications  of  this  principle. 

The  cybersecurity  paradigm  demands  a  defense  in  depth  philosophy  to  combat 
multiple  nefarious  actors  and  disparate  attack  techniques.  No  single  administrative, 
physical,  or  technical  access  control  measure  is  infallible.  Therefore,  the  cybersecurity 
paradigm  must  include  a  defense  in  depth  philosophy,  in  which  an  attacker  must 
penetrate  each  aspect  of  a  varied  and  layered  cybersecurity  strategy  in  order  to  achieve 
the  attack  objective.  Multiple  and  varied  access  obstacles  require  increased  expertise, 
resources,  and  capabilities  from  an  attacker.  Additionally,  the  increased  levels  of  time 
and  resources  required  to  penetrate  each  cybersecurity  layer  shifts  the  preponderance  of 
risks  and  costs  from  the  defender  to  the  attacker.  The  increased  costs  and  risks  of 


19  U.S.  President,  International  Strategy  for  Cyberspace  (Washington  DC:  Government  Printing 
Office,  May  2011), 

http://www.whitehouse.gov/sites/default/files/rss  viewer/international  strategy  for  cyberspace.pdf 

(accessed  August  15,  2012),  8. 
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exposure  associated  with  penetrating  layered  cyber  obstacles  adhere  to  William 
Kaufmann’s  concept  of  deterrence: 

Deterrence  consists  of  essentially  two  basic  components:  first,  the 
expressed  intention  to  defend  a  certain  interest;  secondly,  the 
demonstrated  capability  actually  to  achieve  the  defense  of  the  interest  in 
question  or  to  inflict  such  a  cost  on  the  attacker  that,  even  if  he  should  be 

90 

able  to  gain  his  end,  it  would  not  seem  worth  the  effort  to  him. 

Within  the  defense  in  depth  principle,  the  presence  of  inherently  secure  software 
is  the  most  important  element.  However,  the  design  and  development  of  inherently 
secure  software  is  rare.21  Software  developers  often  conclude  that  issuing  software 
patches  to  the  customer  base  is  financially  advantageous  when  compared  to  extensive 
security  testing  prior  to  software  release.  In  fact,  when  quarterly  earnings  statements 
serve  as  the  primary  measuring  stick,  integrating  inherent  software  security  at  the 
inception  of  the  software  life  cycle  development  process  is  significantly  more  expensive 
and  time-consuming.” 

Finally,  this  principle  includes  ensuring  the  impact  of  cyber  attacks  against  critical 
infrastructure  is  limited.  Future  software  systems  must  be  capable  of  resisting  and 
adapting  to  zero-day  intrusions.  In  2010,  DAPRAs  Information  Innovation  Office  (IIO) 
launched  the  Clean-Slate  Design  of  Resilient  Adaptive  Secure  Host  (CRASH)  program 


20  Adam  Bernstein,  "Obituaries:  Defense  Expert  William  Kaufmann,"  Washington  Post, 
December  17,  2008,  http://www.washingtonpost.com/wp- 

d yn/content/article/2008/ 12/1 6/AR2008 1216027 24. html  (accessed  January  15,  2013). 

21  Seymour  Goodman  and  Herbert  Lin,  Toward  a  Safer  and  More  Secure  Cyberspace 
(Washington  DC:  National  Academy  Press,  2007),  88. 

~2  David  Rice,  G  eekononi  ics :  11 1  e  Real  Cost  of  Insecure  Software,  (Boston,  MA:  Pearson 
Education,  2008),  Kindle  E-Book,  Chapter  2. 
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that  contains  the  potential  of  reversing  the  asymmetrical  nature  of  cybersecurity.-  The 
CRASH  research  program  explores  how  to  design  computer  systems  that  are  less 
vulnerable  to  cyber  intrusions  and  more  resilient  in  the  event  of  data  breech.  The 
CRASH  program  includes  several  projects  that  are  founded  upon  a  single  question:  If  the 
computer  industry  could  redesign  computers  and  software,  what  would  it  do 
differently?-  One  CRASH  initiative  seeks  to  create  operating  systems  that  emulate  the 
resiliency  and  adaptability  of  the  human  immune  system.  The  human  immune  system 
contains  separate  virus  barriers  capable  of  stopping  known  virus  while  other  systems 
remember  and  alter  cells  in  preparation  for  future  attacks.  A  separate  CRASH  initiative 
explores  a  new  computing  architecture  in  which  every  data  packet  contains  credentialing 
information.  Without  the  necessary  credentialing  information,  the  receiving  computer 
systems  could  not  process  the  incoming  data.  This  solution  allows  for  an  open  Internet, 
but  secures  the  valued  information  system  from  untrusted  data  packets. 
Recommendation:  Limited  Liability  Legislation 

The  United  States  requires  a  fundamentally  different  approach  to  cybersecurity 
that  includes  targeted  legislation  for  private  owners  of  critical  infrastructure.  Since  the 
late  1990s,  the  Self-Regulation  theory  remains  the  foundation  of  the  United  States’ 
cybersecurity  paradigm.  The  Self-Regulation  theory  purports  that  volunteer 
public/private  partnerships  and  market  driven  strategic  investments  lead  to  cybersecurity 
best  practices.  However,  the  previous  fifteen  years  is  characterized  by  increasing  cyber 
related  vulnerabilities  and  decreasing  information  security  strategic  investments.  In 

24  John  Markoff,  "Killing  the  Computer  to  Save  It,"  New  York  Times,  October  30,  2012, 
http://www.nvtimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?pagewanted=all&  r=0 

(accessed  November  18,  2012). 
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2009,  the  Wall  Street  Journal  reported  that  according  to  national  security  officials 
“cyberspies  have  penetrated  the  U.S.  electrical  grid  and  left  behind  software  programs 
that  could  be  used  to  disrupt  the  system,  according  to  current  and  former  national-security 
officials.”26  The  United  States  Industrial  Control  System  Cyber  Emergency  Response 
Team  (ICS-CERT)  reports  that  the  number  of  cyber  incidents  directed  against  U.S. 
critical  infrastructure  increased  from  a  nearly  non-existent  level  in  2009  to  roughly  two 
hundred  in  2011.  The  report  also  indicates  that  water  supplies  are  the  predominate 
targets  of  attack.”  The  Self-Regulation  theory  runs  contrary  to  both  corporate  strategic 
investment  decision  making  and  the  growing  cyber  threat  environment. 

In  201 1,  the  1 12th  Congress  sought  to  create  legislation  to  secure  critical 
infrastructure.  Some  members  of  Congress  sought  to  adjust  the  nation’s  dependence  on 
the  Self-Regulation  theory.  The  1 12th  Congress  held  roughly  sixty  hearings  on 
cybersecurity  and  introduced  over  twenty  significant  cyber  related  bills.  The  Cyber- 
Security  Act  of  2012  and  SECURE  IT  Act  of  2012  were  the  most  significant  efforts 
toward  comprehensive  cybersecurity  legislation.  Both  General  Keith  Alexander, 
Commander  USCYBERCOM  and  Director,  National  Security  Agency,  and  General 
Martin  Dempsey,  Chairman  of  the  Joint  Chiefs  of  Staff,  submitted  letters  to  Congress 
urging  the  passage  of  comprehensive  cybersecurity  legislation.  General  Alexander 
stated,  “The  cyber  threat  facing  the  Nation  is  real  and  demands  immediate  action.  The 


“  Chris  Brantley,  "Congress  Swings,  Misses  on  Cybersecurity,"  IEEE, 
http://www.todavsengineer.org/2012/Sep/cvbersecurity.asp  (accessed  March  3,  2013). 

27  Ibid. 

28  Ibid. 


Brantley,  "Congress  Swings,  Misses  on  Cybersecurity." 
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time  to  act  is  now;  we  simply  cannot  afford  further  delay.”  Despite  Congress’  genuine 
concern  and  recommendations  from  the  nation’s  top  military  advisors,  Self-Regulation 
theorists  derailed  both  the  Cyber-Security  Act  of  2012  and  SECURE  IT  Act  of  2012. 
Congress  presented  a  Chamber  of  Commerce  letter  to  the  Congressional  floor  just  prior 
to  the  vote  on  the  Cyber-Security  Act  of  2012.  The  letter  stated  that  the  bill  “could 
actually  impede  U.S.  cyber-security  by  shifting  businesses’  resources  away  from 
implementing  robust  and  effective  security  measures  and  toward  meeting  government 
mandates.”31 

The  lack  of  financial  incentives  dissuades  the  private  sector  from  voluntarily 
hardening  critical  infrastructure  information  environments.  In  August  2010,  the  National 
Institute  for  Standards  and  Technology  (NIST),  the  Federal  Energy  Regulatory 
Commission  (FERC),  and  over  five  hundred  private  sector  participants,  developed  and 
issued  the  nation’s  first  electrical  Smart  Grid  cybersecurity  guidelines.  However,  a 
GAO  review  concluded  that  the  FERCs  lack  of  legislative  authority  hinders  a  complete 
understanding  of  Smart  Grid  vulnerabilities.  The  GAO’s  office  reached  five  additional 
conclusions  which  point  to  the  failure  of  a  self-regulating  voluntary  approach:34 

•  The  electric  industry  does  not  have  an  effective  mechanism  for 
sharing  information  on  cybersecurity. 

•  Consumers  are  not  adequately  informed  about  the  benefits,  costs, 
and  risks  associated  with  smart  grid  systems 


30 


Ibid. 


31 


Ibid. 


32  House  Committee  on  Homeland  Security,  Examining  the  Cyber  Threat  to  Critical 
Infrastructure  and  the  American  Economy,  112th  Cong.,  1st  sess.,  March  16,  2011.,  43. 

33  Government  Accounting  Office,  Progress  Being  Made  on  Cybersecurity  Guidelines,  but  Key 
Challenges  Remain  to  be  Addressed,  by  David  Powner  and  David  Trimble  (Washington  DC:  Government 
Printing  Office,  2011). 
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•  There  is  a  lack  of  security  features  being  built  into  certain  smart 
grid  systems. 

•  The  electricity  industry  does  not  have  metrics  for  evaluating 
cybersecurity. 

The  United  States  cybersecurity  paradigm  must  include  legislation  that  mandates 
two-way  information  sharing,  limited  liability  for  corporate  disclosure  of  cyber 
vulnerabilities,  financial  incentives,  and  financial  penalties  for  egregious  cyber  neglect. 
Effective  legislation  will  avoid  prescriptive  standards  that  are  easily  outpaced  by 
technological  advances.  Other  precedents  for  cybersecurity  standards  can  be  found  in  the 
Consensus  Audit  Guidelines  (CAG)  developed  by  a  consortium  of  federal  agencies, 
including  the  National  Security  Agency,  and  several  private  sector  organizations.  The 
CAG  standards  are  both  technology  focused,  but  broad  enough  to  encompass 
cybersecurity  principles  over  an  extended  period  of  time.36  The  United  States 
government  maintains  an  inherent  responsibility  to  protect  the  nation  and  its  citizens  from 
catastrophic  attacks  against  the  homeland.  An  effective  cybersecurity  law  provides 
needed  accountability  to  policy  guidance.  While  effective  legislation  must  not  rest  upon 
quarterly  balance  sheets  or  voluntary  private/public  partnerships,  neither  can  it  undermine 
national  interests  or  values  such  as  economic  globalization  or  privacy  rights. 
Cybersecurity  legislation  must  include  limited  liability,  financial  incentives  and  penalties, 
and  contain  enough  flexibility  to  withstand  a  changing  technological  environment. 


35  Government  Accounting  Office,  Progress  Being  Made  on  Cybersecurity  Guidelines,  43. 


36 


Ibid. 
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CONCLUSION 


The  United  States  paradigm  for  the  cybersecurity  of  critical  infrastructure  is 
flawed.  For  nearly  two  decades,  the  Self-Regulation  and  Incremental  Progress  theories 
misinformed  Presidential  and  Congressional  cybersecurity  policy  makers.  A  rapidly 
evolving  cyber  threat  environment  proved  these  theories  ineffective.  The  technological 
explosion  of  the  Information  Age  continues  to  decrease  the  costs  and  expertise  required 
to  launch  increasingly  complex  cyber  attacks.  While  the  development  of  malicious  code 
comparable  to  Stuxnet  is  currently  beyond  the  capability  and  means  of  all  except  nation 
states,  the  Stuxnet  attack  confirms  critical  infrastructure  as  highly  valued  targets. 
Additionally,  the  Stuxnet  attack  points  to  a  future  where  extremely  sophisticated 
malicious  code  becomes  available  on  the  black  market  at  costs  affordable  to  a  wider 
threat  audience.  In  order  to  prepare  for  such  an  occurrence,  the  United  States  must 
undergo  a  cybersecurity  paradigm  change. 

This  thesis  recommends  three  principles  as  part  of  a  new  United  States  paradigm 
for  the  cybersecurity  of  critical  infrastructure.  First,  the  United  States  must  revitalize  the 
Defense  Advanced  Research  Projects  Agency,  its  organizational  culture,  and  its  historical 
penchant  to  take  on  high  risk/high  payoff  game  changing  innovation.  Second,  policy 
makers  must  reduce  the  inclination  to  equate  cybersecurity  with  Internet  security. 

Instead,  policy  makers  must  think  in  terms  of  inherently  secure  software  systems.  Lastly, 
the  United  States  requires  cybersecurity  legislation  that  includes  limited  liability, 
financial  incentives,  as  well  as,  financial  penalties  for  private  owners  of  critical 
infrastructure.  Collectively,  the  new  paradigm  will  increase  the  risks  and  costs  of  a  cyber 
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attacker  while  reducing  costs  and  risks  to  the  cyber  defenders  of  United  States  critical 
infrastructure. 
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APPENDIX  1:  CRITICAL  FOUNDATIONS  SEVEN  POINT  STRATEGY 
Critical  Foundations  Seven  Point  Strategy37 
Establishing  the  Partnership. 

Promote  a  partnership  between  government  and  infrastructure  owners  and 
operators  beginning  with  increased  sharing  of  information  relating  to 
infrastructure  threats,  vulnerabilities,  and  interdependencies. 

Building  the  Partnership. 

Ensure  infrastructure  owners  and  operators  and  state  and  local 
governments  are  sufficiently  informed  and  supported  to  accomplish  their 
infrastructure  protection  roles. 

Structuring  the  Partnership. 

Establish  national  structures  that  will  facilitate  effective  partnerships 
between  the  federal  government,  state,  and  local  governments,  and 
infrastructure  owners  and  operators  to  accomplish  national  infrastructure 
assurance  policy,  planning  and  programs. 

Report  on  Awareness  and  Education. 

Elevate  national  awareness  of  infrastructure  threat,  vulnerability,  and 
interdependency  assurance  issues  through  education  and  other  appropriate 
programs. 

Leading  by  Example. 

Initiate  a  series  of  information  security  management  activities  and  related 
programs  demonstrating  government  leadership. 

Legal  Initiatives. 

Sponsor  legislation  to  increase  effectiveness  of  federal  infrastructure 
assurance  and  protection  efforts. 

Research  and  Development. 

Increase  investment  in  infrastructure  assurance  research  from  $250  million 
to  $500  million  in  FY99,  with  incremental  increases  over  a  five-year 
period  to  $1  billion  in  FY04. 


37  President's  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
Americas  Infrastructure  (Washington,  DC:  Government  Printing  Office,  October  1997),  v. 
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